B  Microsoft's  .Net  services  explained 

Microsoft-hosted  developer  tools  for  creating 
cloud-based  applications  hit  beta  stage.  Page  12. 
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I  CLEAR  CHOICE  IQ 


Test  Novell's  SLES 11 

Its  new  features  home  in  on 
improved  management  and  inte¬ 
grated  virtualization.  Page  26. 


Virtualization  upgrade 
helpsVMware  main¬ 
tain  its  competitive 
edge,  but  concerns 
about  vendor  lock-in 
persist.  Page  12. 

The  FBI  as  an 
ethical  hacker? 

Columnist  Scott 
Bradner  is  not  sure  of 
the  answer  to  law 
enforcement's  prob¬ 
lems,  but  hopes  these 
efforts  don’t  let  the 
bad  guys  take  over 
machines  around  the 
world.  Page  14. 


HP  takes  aim 
at  Cisco  with 
BladeSystem  Matrix 

Company  airs  con¬ 
verged  software, 
server,  storage  and 
network  platform. 

Page  34. 

c;  ITRoadmap 

Upcoming  ITR 

One-day  Network 
World  IT  event  is 
coming  to  a  city  near 
youlThe  event  fea¬ 
tures  10  IT  tracks; 
vendor  expo;  peer 
case  studies. 

Register  at: 

www.nwdocfinder. 

com/8728 


A  look  back 
at  Sun's 
rise  and  fall 

BY  JON  BRODKIN 

Oracle’s  surprising  $7.4  billion  deal 
to  purchase  Sun  last  week  gives 
Larry  Ellison  and  crew  a  big  stake  in 
the  hardware  market  as  well  as  con¬ 
trol  over  Java  and  other  well-known 
open  source  technologies.  But  it  also 
spells  the  end  of  an  independent 
Sun,  one  of  Silicon  Valley’s  most 
prominent  companies. 

How  did  it  all  come  to  this  for  the 
27-year-old  Sun,  regarded  as  one  of 
the  industry’s  great  innovators?  The 
dot-com  crash  at  the  start  of  this 
decade  is  frequently  cited  as  the 
beginning  of  the  end  for  Sun,  and  for 
good  reason.  But  acquisition  mis¬ 
steps  and  a  failure  to  monetize  key 
products  such  as  Java  also  hastened 
Sun’s  descent. 

“The  dot-com  bust  hurt  everybody 
but  it’s  arguable  that  Sun  was  hurt 
most  because  it  had  profited  so 
much  in  the  run  up  to  the  boom  in 
the  first  place,  and  hadn’t  grown  its 
business  out  as  deeply  as  IBM  and 
some  others,”  says  Pund-IT  analyst 
Charles  King. 

Sun’s  Sparc  servers  with  the  Solaris 
operating  system  were  snatched  up 
by  dot-com  start-ups  because  of  their 
stability  and  flexibility  in  deploying 

See  Sun,  page  16 
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Cloud  security  fears 
cast  shadow  at  RSA 

BY  TIM  GREENE 


SAN  FRANCISCO  —  Two  words  — 
cloud  security  —  dominated  discussion 
and  drove  the  action  last  week  at  RSA 
Conference  2009. 

Throughout  the  event,  attendees  were 
warned  of  a  range  of  danger  areas  in 
cloud  computing  services,  including 
data  loss  and  integrity  compliance,  liabil¬ 
ity  reliability  authentication  and  informa¬ 
tion  life-cycle  management. 

“It  is  a  security  nightmare,  and  it  can’t 
be  handled  in  traditional  ways,”  said 
Cisco  CEO  John  Chambers  in  his  key¬ 
note  address. “You’ll  have  no  idea  what’s 
in  the  corporate  data  center? 

Cloud  security  clearly  lags,  experts 
said,  advising  that  until  it  catches  up, 
businesses  need  to  understand  the  dan¬ 
gers,  weigh  them  against  the  benefits  and 


■  Got  some  burning  security 
questions  eating  at  you? 

Read  our  answers,  particu¬ 
larly  on  the  topic  of  security 
in  the  cloud.  Page  18. 

exercise  aggressive  risk  management. 

But  there  are  promises  of  help  from 
vendors  whose  conference  announce¬ 
ments  were  tailored  to  address  some  of 
the  cloud  shortcomings.  Cisco,  for  in¬ 
stance,  rolled  out  a  cloud-based  security 
service  that  pulls  threat  data  from  around 
the  Internet  and  pushes  it  to  users. 

This  is  similar  to  an  approach  touted  at 
the  show  by  Trend  Micro  ahead  of  a  for¬ 
mal  announcement  coming  next  month. 

See  RSA,  page  20 
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How  to  create  an  effective  end-user  security 
awareness  program.  Page  30 


TODAY,  USERS  ARE  MORE  AWARE  OF 
EXISTING  THREATS,  BUT  THREATS 
ARE  MORE  SOPHISTICATED  AND 
THEY  MIGRATE  FASTER.' 

MAX  KEISSMUELLFR,  senior  manager  of 
IT  infrastructure  and  operations,  Pioneer 
Electronics  in  Long  Beach,  CaliE 
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COOLTO0LS 

■  The  Juice  Pack 
Air  gives  extra 
battery  life  to 
the  iPhone  3G 
while  its  hard 
case  provides 
extra  protec¬ 
tion.  See  Cool 
Tools,  page  24. 


GOODBADUGLY 

Time  to  bargain  with  Microsoft 

Corporations  armed  with  a  savvy  knowl¬ 
edge  of  Microsoft's  volume  licensing 
program  may  be  in  the  best  position  in  a 
long  time  to  negotiate  the  cost  of  soft¬ 
ware,  according  to  one  analyst. 

“Resellers  are  saying  there  has  never 
been  a  better  time  to  negotiate  with 
Microsoft,”  says  Paul  DeGroot,  an  ana¬ 
lyst  with  independent  analyst  firm 
Directions  on  Microsoft.  "It  is  a  buyer's 
market,  and  it  is  a  time  when  customers 
have  had  unusual  bargaining  power  with 
Microsoft.”  DeGroot  also  says  that  the 
upcoming  ship  dates  announced  by 
Microsoft  for  both  Windows  7  and  Office 
2010  make  it  a  tactical  time  to  explore 
different  volume  licensing  options  that 
could  help  reduce  costs  overtime. 
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How  to  create  an  effective  end-user  security 
awareness  program.  Page  80 


TODAY,  USERS  ARE  MORE  AWARE  OF 
EXISTING  THREATS,  BUI  THREATS 
ARE  MORE  SOPHISTICATED  AND 
THEY  MIGRATE  FASTER; 

MAX  REISSMUELLER,  senior  manager  of 
IT  infrastructure  and  operations,  Pioneer- 
Electronics  in  Long  Beach,  Calif. 
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Mozilla’s  patchwork 

Mozilla  last  week  patched  12 
security  vulnerabilities  in 
Firefox  3,  just  days  before  it 
was  to  roll  out  the  newest 
beta  of  its  next  open-source 
browser,  Firefox  3.5.  Of  the 
dozen  flaws  fixed  in  Firefox  3.0.9, 
four  were  rated  "critical,”  two  “high," 
two  “moderate”  and  four  "low”  in 
Mozilla’s  four-step  ranking  system.  It 
was  the  most  vulnerabilities  Mozilla 
has  patched  since  December  2008, 
when  it  quashed  13  bugs.The  four  criti¬ 
cal  vulnerabilities  —  two  in  the  Firefox 
browser  engine,  two  in  its  JavaScript 
engine  —  were  patched  by  a  single 
multi-fix  update  that  Mozilla,  as  is  its 
practice,  said  might  be  exploitable. 


Tough  Earth  Day  for 
EarthLink  customers 
ISP  EarthLink  was  hit  with  a  major  out¬ 
age  last  Wednesday,  with  EarthLink 
users  unable  to  access  their  e-mail  or 
any  Web  pages  hosted  by  the  company 
for  hours.  EarthLink  says  the  crash 
occurred  due  to  a  power  outage  at  its 
facility  in  Pasadena,  Calif.  Power  was 
restored  mid-afternoon  and  the  com¬ 
pany  then  went  to  work  trying  to  get 
customers  back  online. 


Software 


CA  Spectrum1'  solutions  help  you  pinpoint  and  solve  information  flow  ' 
problems  across  the  IT  infrastructure  —  networks,  physical  and  virtual 
systems,  databases  and  applications  —  before  they  impact  your  end  users. 
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with  payback  in  under  a  year.  That'S  the  power  c '  lean. 
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Bias  or  tongue  in  cheek? 

Re:  Workplace  surfing  hounds  have  a  new 
hero  (www.nwdocfinder.com/9732): 

In  this  issue,  Paul  McNamara  makes  a  case 
for  trusting  Snopes.com  as  a  fact-checking 
site.  He  then  undermines  his  entire  argument 
with  this  snide  remark: 

“Of  course,  the  reason 
Snopes.com  is  more 
often  accused  of  bias  by 
conservatives  than  by  lib¬ 
erals  is  that  facts  have  a 
notoriously  liberal  bias.” 

Unless  he  was  just  try¬ 
ing  to  be  funny,  Mr. 

McNamara  just  displayed  his  own  liberal  bias 
for  all  to  see.  Facts  are  just  facts,  either  true  or 
false  —  they  have  no  “bias”.  Bias  is  displayed 
by  the  selective  use  of  only  those  facts  that 
support  your  foregone  conclusion. 

Alf 

Apple  missed  the  boat  on 
netbooks 

Re:  Apple  dismisses  netbook  trend  (www. 
nwdocfinder.com/9734): 

Had  Apple  thought  of  it  first,  it  would  have 
been  the  greatest  thing  since  the  Apple  lie.  Net- 
books  definitely  have  a  place  and  it  is  appar¬ 
ent  that  Apple  does  not  feel  it  necessary  at  this 
time.  1  have  always  felt  that  Apple  has  been  an 
innovator  but  their  “arrogance  and  pride”  often 
gets  the  best  of  them. 

Anon 

Cheated  by  Cisco  braindumps 

Re:  Cisco  speaks  out  against  exam  cheating 
(www.nwdocfinder.com/9736): 

I  recently  failed  my  recent  for  my  CCNRso 
after  eight  years  I  am  no  longer  Cisco  certi¬ 
fied.  Sadly  I  can’t  see  me  bothering  to  gain 
CCNP  again  as  the  braindumps  have  deval¬ 
ued  the  qualification  so  much.  Cisco  does 
not  appear  to  be  doing  enough  to  chal¬ 
lenge  it  as  too  many  questions  were  repeat¬ 
ed  on  my  second  attempt  at  the  exam  mak¬ 
ing  it  easy  for  the  cheaters.  A  large  enough 
pool  of  questions  would  soon  reduce  the 
ability  to  cheat.  Now  1  am  the  one  who  feels 
cheated. 

Anon 


There  needs  to  be  a  balance 
between  old  and  new  in  IT 

Re:  Why  the  basically  good  choice  of  Aneesh 
Chopra  for  U.S.  CTO  scares  the  bejeesus  out  of 
me  (www.nwdocfinder.com/9733): 

One  of  the  main  problems  that  IT  faces  is  its 
focus  on  the  new  and 
shiny  sometimes  to  the 
exclusion  of  the  older,  but 
more  worthy  I’m  by  no 
means  a  technology 
Luddite,  progress  is  to  be 
desired,  but  there  has  to 
be  some  reason  for  it; 
something  beyond  just 

being  neat. 

This  is  a  double-headed  monster  in  my  opin¬ 
ion.  First  IT  types  like  me  are  often  drawn  to  the 
new  and  sexy  —  maybe  that’s  why  we  got  into 
the  business  in  the  first  place.  Second,  the 
flashy  —  particularly  when  it  makes  it  to  gen¬ 
eral  business  publications  —  can  generate  a 
“me  too”  attitude  in  senior  executives,  some¬ 
times  deflecting  IT  attention  from  less  glam¬ 
orous,  but  more  necessary  work. 

As  with  most  things  in  life, a  balance  between 
both  elements  of  IT  is  probably  what  is  most 
necessary 

Peter  Thomas 

Windows  susceptible  to 
‘Linux  exploit’ 

Re:  Intel  CPU  cache  poisoning:  dangerously 
easy  on  Linux  (www.nwdocfinder.com/9735): 

This  exploit  has  been  known  for  a  while  now 
and  is  actually  easier  on  Windows  since  most 
of  the  Windows  boxes  in  the  wild  are  already 
exploited  in  other  ways.  This  is  one  of  the  few 
ways  currently  available  to  access  a  Linux  box. 
Keep  in  mind  that  this  is  a  CPU  flaw  and  not  a 
Linux  flaw.  Being  an  open  OS  Linux  is  easier  to 
utilize  for  such  an  exploit,  but  that  also  means 
that  Linux  can  lock  it  down  easier  as  well. 

Anon 

E-mail  letters  to  jdix@nww.com  or  send  them 
to  John  Dix,  editor  in  chief,  Network  World,  492 
Old  Connecticut  Path,  Framingham,  MA  01 701- 
9002.  Please  include  phone  number  and  address 
for  verification 
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■  Why  the  Oracle/Sun  deal  is  bad  news 
for  Microsoft  and  SQL  Server.  On  the 

Microsoft  Subnet  the  news  that  Oracle 
would  buy  Sun  for  $7.4  billion  was  a  stunner 
—  and  one  that  will  be  especially  hard  to  fig¬ 
ure  out  for  the  Microsoft  world.  One  of  the 
first  questions  that  arises  is  what  will  be¬ 
come  of  mySQL,  owned  by  Sun?  Oracle  has 
a  history  of  buying  competitors  and  forcing 
customers  of  said  competitors  over  to  its 
higher- priced  options.  If  Oracle  deploys  the 
"forced  move"  strategy,  it  could  have 
Microsoft  smiling,  as  this  leaves  the  more 
affordable  SQL  Server  as  the  most  logical 
option  for  mySQL  users  that  don't  want  to 
move  to  some  sort  of  Oracle  database. 
Oracle's  purchase  of  Sun  also  gives  it  the 
hardware  to  quickly  push  into  cloud  comput¬ 
ing  in  competition  with  Microsoft,  IBM  and 
others. 

www.nwdocfinder.com/9737 

■  Apple  reports  blockbuster  earnings. 

lonApple  blogger  Yoni  Heisler  reported 
Apple's  announcement  last  week  of  its 
earnings  for  its  most  recent  quarter,  and 
reported  earnings  of  $1.33  a  share  on  rev¬ 
enue  of  $8.16  billion.  Put  another  way,  that's 
$1.21  billion  in  profits.  In  accordance  with 
expectations,  Apple  reported  2.2  million  Mac 
sales,  which  represents  a  3%  decline  from 
the  same  quarter  a  year  ago.  IPhone  and 
iPod  sales  figures  were  slightly  higher  than 
expected,  with  11.01  million  iPods  and  3.79 
million  iPhones  sold.  Apple's  earnings  re¬ 
port  should  be  a  welcome  surprise  for 
investors,  who  have  recently  become  bear¬ 
ish  on  the  stock  in  light  of  surrounding  eco¬ 
nomic  conditions. 
www.nwdocfinder.com/9738 

■  Wave  goodbye  to  Palm?  John  Cox  blogs 
that  Palm  is  one  of  the  12  brands  doomed  to 
distinction  over  the  next  12  months,  as  pre¬ 
dicted  by  Douglas  McIntyre,  one  of  the  edi¬ 
tors  at  24/7  WallSt.,  a  Web  site  that  offers 
analysis  and  commentary  for  equity  in¬ 
vestors.  The  upcoming  Palm  Pre  smart¬ 
phone,  exclusively  on  Sprint's  network,  is 
the  "one  last  chance  to  become  viable"  but 
the  odds  are  all  against  it,  according  to  the 
analysis.  "Palm  won't  be  in  business  in  a 
year,"  McIntyre  writes.  The  analysis  leaves 
open  what  might  be  the  final  form  of  Palm's 
demise  (and  that  of  the  other  11  brands): 
shutdown,  bankruptcy,  or  being  acquired  or 
merged.  McIntyre  posted  his  story  last 
week,  offering  12  more  well-known  brands 
that  will  follow  in  the  wake  of  last  year's 
extinction  of  Circuit  City,  Aloha  Airlines  and 
Gateway  Computer  (acquired  by  Acer). 
www.nwdocfinder.com/9739 


VMWare  launched 
vSphere 

VMware  says  vSphere 
is  the  first  virtualization 
system  that  can  handle 
any  class  of  enterprise 
workload.  It's  the  fourth 
generation  of  the  com¬ 
pany's  virtualization 
platform,  but  CEO  Paul 
Maritz  called  this  one  a 
breakthrough. 

www.nwdocfinder.com/9727 


Honda  demos 

motion-assistance 

devices 

A  team  of  engineers 
from  Honda’s  research 
division  showed  off  a 
piece  of  the  future  in 
New  York  last  week, 
unveiling  for  the  first 
time  outside  of  Japan 
two  motion-assistance 
devices. 

www.nwdocfinder.com/9728 


Notebook  replaces 
trackpad  with  LCD 
panel 

Sharp  will  sell  a  note¬ 
book  in  late  May  that 
includes  an  embedded 
optical  sensor  instead 
of  a  traditional  track¬ 
pad. 

www.nwdocfinder.com/9729 


BEST  OF  NWW’S 

NEWSLETTERS 

10  keys  for  making 
social  networking  work 


Web  applications:  One  of  the  big  chal¬ 
lenges  when  you  put  any  kind  of  content 
or  service  online  is  getting  people  to  actu¬ 
ally  take  a  look  —  'page  views'  are  the 
'eyeballs'  of  Web  2.0.  Online  advertising  is, 
of  course,  one  way  to  generate  traffic  but 
there’s  a  hefty  price  tag  to  get  a  big  impact 
and  initially  you’re  going  to  be  rolling  the 
dice  with  exactly  which  channels  to  use, 
what  kind  of  ads  to  deploy,  and  how  much 
to  spend.  But  while  you’re  burning  cash  on 
conventional  Internet  advertising  you 
should  also  be  using  social  networking  to 
spread  the  word.  Now  1  know  what  you’re 
going  to  say  — “Isn’t  social  networking  just 
the  new  black?”  The  answer  my  friend  is 
yes,  but  it’s  a  new  black  that  is  going  to  be 
around  for  a  long  time  so  capitalize  upon 
the  new  channel  while  its  fresh  and  rela¬ 
tively  accessible. 
www.nwdocfinder.com/9723 

Tech  exec:  At  the  recent  Web  2.0  Expo, 
PayPal’s  senior  director  of  global  risk  man¬ 
agement,  Katherine  Hutchison,  warned  that 


online  fraud  is  on  the  rise.  There  are  many 
factors  behind  this  rise,  not  the  least  of 
which  is  the  rapid  growth  of  the  under¬ 
ground  cybercrime  economy.  Criminals 
have  established  vast  botnets  comprised  of 
millions  of  computers  that  are  unknowing¬ 
ly  controlled  by  malicious  masters.  In 
2008,  the  Georgia  Tech  Information 
Security  Center  estimated  as  many  as  15% 
of  online  computers  were  part  of  a  botnet 
—  up  from  10%  in  2007  —  and  it’s  likely  to 
get  worse.  For  example,  there’s  evidence 
that  the  recent  Conficker  virus  is  out  to 
create  an  even  greater  population  of  bot 
computers.  With  so  many  bot  devices  now 
in  place,  criminals  are  able  to  easily  hide 
both  their  locations  and  their  identities  to 
commit  their  assaults.  As  a  result,  the 
online  fraud  problem  is  growing  bigger 
and  wider.  It  exists  wherever  someone 
creates  a  new  account,  logs  into  an 
account,  or  makes  a  card  not  present  cred¬ 
it  purchase.  Here  are  just  a  few  examples 
of  places  where  fraudsters  are  doing  their 
dirty  work,  www.nwdocflnder.com/9724 
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There  are  a  number  of  ways  to  protect  your  network. 
The  first  should  be  to  give  CDW  a  call. 


Cisco®  ASA  5505  Adaptive 
Security  Appliance 

•  Secures  your  network  against  attacks  such  as  worms, 
viruses,  spyware,  keyloggers,  Trojan  horses,  rootkits 
and  hackers 

•  Delivers  secure  remote  access  to  authenticated  users 
on  both  managed  and  unmanaged  endpoints 

•  Combines  feature-rich  VPN  connectivity  with 
comprehensive  threat  defense  to  deliver  cost-effective 
remote  network  access 

•  Prevents  unauthorized  access  to  applications  or 
information  assets  by  providing  businesses  with 
fine-grain  identity-  or  network-based  access  control 


Juniper®  Networks  Secure 
Services  Gateway  140 

•  Purpose-built  security  appliances 

•  Delivers  a  powerful  blend  of  performance,  security 
and  LAN/WAN  connectivity  for  medium  to  large 
regional  and  branch  office  deployments 

•  Offers  a  rich  set  of  Unified  Threat  Management 
security  features,  including  stateful  firewall,  IPSec  VPN, 
IPS,  antivirus,  antispam  and  Web  filtering 

•  Extensible  I/O  architecture  delivers  flexible  LANA/VAN 
connectivity  options  on  top  of  security  to  reduce  costs 
and  extend  investment  protection 


Check  Point  UTM-1  Total  Security 
570  security  appliance 

•  Includes  everything  you  need  to  secure  your 
network  for  up  to  3  years 

•  Provides  protection  for  networks,  systems, 
and  users  against  multiple  types  of  threats 

•  Offers  streamlined  security  deployment  and 
administration 

•  Provides  protection  against  emerging  threats 
with  SmartDefense  Services 


Call  CDW  for  pricing 

Check  Point  UTM-1  Three  Year  Total  Security 
Model  570  -  up  to  250  users  CDW  1479293 


*414"  nnsi 


*3200 


CDW  1065037 


CDW  1065105 


We're  there  with  the  security  solutions  you  need. 

Security  threats  won't  get  on  your  network  if  they  can't  get  to  the  network.  That's  why  gateway  security  is 
so  important.  CDW  has  a  wide  selection  of  top-name  firewall  protection,  antivirus,  antispyware,  intrusion 
prevention  and  more.  Our  personal  account  managers  along  with  our  highly  trained  technology  specialists 
have  the  expertise  you  need  to  ensure  your  network  is  fortified  and  secure.  So  call  CDW  today.  And 
eliminate  threats  before  they  even  become  threats. 

CDW.com  800.399.4CDW 


Offer  subject  to  CDW's  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©2009  CDW  Corporation 
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Microsoft  posts  historic 
revenue  stumble 

For  the  first  time  in  its  23-year  history  as  a  public  company  Microsoft’s  revenue 
dropped  in  a  year-over-year  comparison.  The  company  reported  revenue  of 
$13.65  billion  for  its  fiscal  third  quarter,  representing  a  6%  decline  compared 
with  the  same  quarter  a  year  ago.  Net  income  for  the  quarter  ended  March  31 
came  in  at  $2.9  billion  —  a  32%  decline  compared  with  last  year. The  news  was 
bleak  across  all  of  Microsoft’s  business  units,  with  drops  in  every  segment  except 
servers  and  tools,  which  has  been  Microsoft’s  most  consistent  performing  business 
segment  for  the  past  two  years.  Still,  Microsoft  CFO  Chris  Liddell  said  the  overall 
outlook  is  solid. “Over  the  next  18  months  we’ll  bring  a  new  wave  of  products  to 
market.  In  the  short  term  results  will  be  impacted  by  current  economic  condi¬ 
tions,  but  the  overall  outlook  is  strong,”  he  said. “We  believe  the  recovery  will  be 
slow  and  gradual  ’’www.nwdocfinder.com/9741 


Funding  for  network  companies  plum¬ 
mets.  Venture  capital  investments  in  network 
companies  have  dropped  below  $1  billion  in 
a  quarter  for  the  first  time  since  1996.  Even  in 
the  years  immediately  following  the  dot-com 
bust,  quarterly  investments  in  U.S.  networking 
vendors  never  fell  below  $2  billion.  But  in  the 
first  three  months  of  2009,  investors  gave  only 
$935  million  to  companies  in  this  category 
according  to  data  provided  by 
Pricewaterhouse  Coopers  and  the  National 
Venture  Capital  Association,  authors  of  the 
quarterly  MoneyTree  Report.  The  network 
funding  totals  reflect  a  nationwide  drop  in 
venture  capital  investments.  In  all  industries, 
venture  capitalists  gave  $3  billion  to  549  com¬ 
panies  during  the  first  quarter,  down  from  $5.7 
billion  spread  over  866  deals  in  the  last  quar¬ 
ter  of  2008.“The  numbers  look  pretty  grim  for 
[the  networking]  sector”  says  Tracy  Lefteroff,a 
global  managing  partner  at  PwC. 
www.nwdocfinder.com/9742 

Tech  groups  praise  Obama  pick  for  CTO. 

Tech  vendors  and  trade  groups  have  praised 
President  Obamas  appointment  of  Virginia’s 
secretary  of  tech¬ 
nology  as  the  U.S. 
government’s  CTO, 
saying  that  Aneesh 
Chopra  has  strong 
experience  using 
technology  to 
make  government 
more  responsive  to 
citizens.  Obama, 
announcing  the 
appointment  dur¬ 
ing  his  weekly 
address  on  April  18,  said  Chopra  will  “promote 
technological  innovation  to  help  achieve  our 
most  urgent  priorities  —  from  creating  jobs 
and  reducing  healthcare  costs  to  keeping  our 
nation  secure.”  Obama  made  a  “stellar  choice,” 


said  Vinod  Khosla,  founder  of  Khosla  Ventures. 
“This  man  is  a  ‘do-er’  plain  and  simple.  He  is  a 
visionary  leader  and  executive  who  can  bring 
people  together  around  a  vision  to  get  the  job 
done.”  Executives  at  Google,  Intel,  Sun,  the 
Center  for  Democracy  and  Technology  the 
Consumer  Electronics  Association, 
TechAmerica  and  the  Business  Software 
Alliance  also  praised  the  Chopra  appoint¬ 
ment  www.nwdocfinder.com/9743 

Some  IT  skills  see  pay  hikes  during 
downturn.  Budget  dollars  may  be  tight,  but 
that  doesn’t  mean  IT  departments  aren’t  will¬ 
ing  to  pay  for  key  technology  skills,  talent  and 
certifications.  Research  released  by  Foote 
Partners  shows  that  pay  for  60  skills  and  certi¬ 
fications  declined  in  the  first  quarter,  yet 
another  46  skills  and  certifications  experience 
increases  in  pay  during  the  same  time  period. 
In  the  noncertified  camp,  pay  for  Linux  skills 
rose  by  more  than  28%,  while  Apache  and 
Sybase  skills  saw  25%  increases  in  pay  Pay  for 
Java  and  HTTP  skills  increased  by  20%. 
Certified  IT  skills  that  saw  pay  increases 
include  HP/Certified  Systems  Engineer  (up 
14.3%)  and  Sun  Certified  Programmer  for  Java 
Platform  (up  13.5%).“There’s  a  lot  of  hiring 
and  reshuffling  of  talent  right  nov/’said  CEO 
David  Foote.“Companies  have  serious  labor 
requirements  and  many  are  aggressively  step¬ 
ping  up,  using  compensations  wisely  to  meet 
the  demand  for  specific  skills.” 
www.nwdocfinder.com/9744 

AMD  plans  16-core  server  chip. 

Advanced  Micro  Devices  is  designing  a  server 
chip  with  as  many  as  16  cores,  quadrupling 
the  count  of  its  current  quad-core  server 
chips.  Code-named  Interlagos,  the  chip  will 
have  12  to  16  cores,  and  will  be  released  in 
201 1.  Interlagos  will  be  a  follow-up  offering  to 
the  12-core  chip  code-named  Magny-Cours 
that  AMD  plans  to  release  in  the  first  quarter 


of  2010.The  16-core  chips  —  which  are  part  of 
AMD’s  Opteron  6000  series  —  could  go  into 
servers  with  two  to  four  sockets,  which  could 
mean  a  maximum  of  64  cores  per  server. 
AMD’s  Opteron  chips  compete  with  Intel’s 
Xeon  server  chips,  but  Intel  has  only 
announced  an  eight-core  version  of  its  Xeon 
chips  with  a  chip  code-named  Nehalem-EX, 
due  for  release  in  2010. 
www.nwdocfinder.com/9745 

Wireless  sensors  tracks  energy  use. 

Arch  Rock  has  created  a  special  version  of  its 
wireless  sensor  networking  product  line  to 
monitor  energy  use  and  identify  changes  to 
make  it  more  efficient  and  to  save  money 
Energy  Optimizer  combines  Arch  Rock’s  exist¬ 
ing  PhyNet  IP-based  sensor  nodes,  wireless 
routers  and  server  appliance  with  a  new  elec¬ 
tric  power  sensor  and  a  data  analysis  and 
reporting  application. The  sensor  measures 
electric  use  on  a  fine-grained  level,  by  individ¬ 
ual  circuit.  It  can  show  what  systems  are  using 
what  amount  of  electricity  This  data  is  export¬ 
ed  to  analysis  and  reporting  software  that  cor¬ 
relates  the  data  with  budgeted  spending, 
demand  trends  and  other  criteria.  Users  can 
see  energy  use  by  department  or  over  a  given 
time  period,  for  example.“We  introduce  all 
this  without  affecting  or  changing  any  existing 
HVAC,  lighting  or  other  systems,”  says  Roland 
Acra.CEO  for  Arch  Rock.www.nwdocfind- 
er.com/9746 

AT&T  reports  surge  in  Wi-Fi  connec¬ 
tions.  AT&T  says  users  connected  to  itsWi-Fi 
hot  spots  10.5  million  times  in  the  first  quarter 
of  2009,  more  than  triple  the  volume  in  the 
first  quarter  of  2008.  AT&T  attributes  the  large 
increase  to  two  factors:  the  proliferation  of  Wi¬ 
Fi  capable  devices  and  the  expansion  of  the 
company’s  Wi-Fi  footprint.  On  the  device  side 
of  things,  AT&T  has  expanded  its  roster  of 
popular  Wi-Fi  enabled  smartphones,  such  as 
the  iPhone  3G  and  the  BlackBerry  Bold, 
which  accounted  for  more  than  4  million 
connections  to  the  company’s  hot  spots.  In 
terms  of  Wi-Fi  hot  spots,  AT&T’s  2008  Wayport 
acquisition  and  Starbucks  deal  helped  the 
company  expand  its  Wi-Fi  footprint  to  roughly 
20,000  locations  in  the  United  States  and 
more  than  80,000  locations  around  the  world. 
www.nwdocfinder.com/9747 

Canonical  optimizes  Linux  distribution 
for  netbooks.  Canonical  has  released  a 
Linux  distribution  optimized  for  netbooks.The 
Ubuntu  Linux  9.04  Netbook  Remix  is  designed 
to  run  basic  Web  and  office  applications  typi¬ 
cally  used  on  netbooks.The  operating  system 
boots  faster  than  other  Ubuntu  distributions 
and  has  better  power-management  features  to 
boost  battery  life,  Canonical  said.  It  also  cen¬ 
tralizes  applications  and  bookmarks  under 
one  interface  to  rapidly  access  programs  and 
Web  sites  www.nwdocfmder.com/9748 
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CA  Security  Management  software  streamlines  your  IT  security 
environment  so  your  business  can  be  more  secure,  agile  and 
compliant  without  upsizing  your  infrastructure.  All  with  faster 
time  to  value.  Greater  efficiency  starts  with  more  efficient  IT. 

That's  the  power  of  lean. 

Learn  more  at  ca.com/security 
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Buzz  over 
vSphere  can't 
quell  vendor 
lock-in  issue 
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.Net  Services: 
Microsoft’s  future 

On  April  1  Microsoft  released  the  Community 
Technology  Preview  beta  of  .Net  Services,  which 
are  a  set  of  Microsoft-hosted  developer  tools  for 
creating  cloud-based  and/or  cloud-aware  applica¬ 
tions.  Microsoft  asserts  that  its  cloud  operating  sys¬ 
tem,  Azure,  will  be  fully  open  and  able  to  support 
any  application  built  on  any  platform,  via  these  tools.  Burley 
Kawasaki,  director  of  developer  platform  product  management, 
sat  down  with  Editor  Julie  Bort  to  discuss  .Net  Services.  For  the 
full  transcript  of  the  interview,  see  www.nwdocfinder.com/9726. 


BY  JON  BRODKIN 

VMware’s  highly  anticipated  vSphere  soft¬ 
ware  appears  robust  enough  to  maintain 
the  vendor’s  technology  edge  over  its  com¬ 
petition,  but  there  are  still  lingering  ques¬ 
tions  about  vendor  lock-in  when  it  comes  to 
the  VMware  virtualization  platform. 

VMware  last  week  introduced  vSphere,  call¬ 
ing  it  a  “cloud  operating  system”  because  of  its 
ability  to  aggregate  the  virtual  resources  in  the 
data  center  into  one  centrally  managed  com¬ 
puting  pool,  or  private  cloud. 

In  pushing  the  private  cloud, VMware  is  hop¬ 
ing  IT  shops  will  build  highly  virtualized,  fault- 
tolerant,  self-service  data  centers  that  resemble 
those  of  cloud  providers  such  as  Amazon  and 
Google,  but  which  exist  solely  within  the  fire¬ 
wall  for  the  benefit  of  an  enterprise’s  own 
users.VMware  says  it  will  eventually  release  an 
upgrade  letting  IT  shops  connect  their  private 
clouds  to  cloud  services  offered  commercially 
by  Terremark,  Sawis  and  SunGard 

VSphere  is  a  major  move  for  VMware  and 
one  that  was  necessary  to  keep  the  virtualiza¬ 
tion  market  leader  ahead  of  competitors 
Microsoft  and  Citrix,  analysts  say 

“VMware  has  Microsoft,  Citrix  and  in  a  very 
niche  way  Parallels  over  in  the  Mac  market  nip¬ 
ping  at  their  heels,”  says  Laura  DiDio.an  analyst 
with  Information  Technology  Intelligence. 
“There’s  been  a  lot  of  buzz  about  [Microsoft’s] 
Hyper-v  Citrix  has  done  a  lot  of  price  cutting. 
VMware  needs  to  say  ‘OK,  I  see  your  initiative 
and  I  raise  it.’” 

VSphere  is  the  follow-up  to  VMware  Infra¬ 
structure  3,  the  name  given  to  VMware’s  core 
hypervisor  and  related  management  tools. 
VSphere  will  be  available  later  in  the  sec¬ 
ond  quarter. 

While  VMware  is  promising  new  levels  of 
flexibility  in  the  data  center  with  vSphere,  the 
company  still  promotes  vendor  lock-in  by  re¬ 
fusing  to  support  competing  virtualization 
products,  industry  watchers  say 

Microsoft’s  System  Center  Virtual  Machine 
Manager  is  capable  of  managing  virtual 
machines  (VM)  created  both  with  Microsoft’s 
Hyper-V  platform  and  VMware’s  ESX  hypervi¬ 
sor.  Despite  the  presence  of  Hyper-V  and  Citrix’s 
XenServer,  and  the  fact  that  many  data  centers 
use  multiple  virtualization  products,  VMware 
has  consistently  claimed  that  there  is  no  mar¬ 
ket  pressure  for  them  to  support  competing 
hypervisors. 

“We’re  taking  the  stance  that,  if  and  when 

See  VMware,  page  14 


Microsoft  has  been  promoting  four 
nuijor  cloud  initiatives:  Windows  Azure, 
SQL  Services,  .Net  Services  and  Live 
Services.  What’s  the  difference? 

All  four  are  part  of  an  effort  to  deliver  the 
Azure  Services  Platform.  Windows  Azure  is 
the  ‘cloud  operating  system’,  it  provides  the 
low-level  resources  like  compute,  storage. 
On  top  of  the  cloud  operating  system  we 
also  deliver  building-block  services  orient¬ 
ed  at  developers  building  apps  —  they 
can  use  these  additional  services  either  in 
a  stand-alone  fashion  or  in  conjunction 
with  Windows  Azure.  SQL  Services  pro¬ 
vides  cloud-based  relational  storage;  Live 
Services  provides  cloud-based  consumer 
services.  .Net  Services  is  a  set  of  hosted  ser¬ 
vices  that  extend  the  .Net  programming 
model  to  take  advantage  of  some  of  the 
unique  types  of  app  scenarios  that  you 
can  build  targeting  the  cloud. 

What  features  does  .Net  Services  offer? 

Most  customers  will  start  by  taking  their 
existing  .Net  apps  and  looking  for  exten¬ 
sion  opportunities.  We’ve  added  the  “ser¬ 
vice  bus”  (for  secure  messaging  across  fire¬ 
wall  from  on-prem  to  the  cloud); “access 
control”  (to  easily  federate  identity  info 
across  identity  mechanisms);  and  “work- 
flow”  (to  provide  rules  that  help  you  route 
the  messages  as  they  flow  across  the  ser¬ 
vice  bus).  As  part  of  the  service  bus,  we 
provide  access  control  capabilities  that 
recognize  also  that  you  want  to  secure 
your  messages  as  they  cross  firewall 
boundaries  (between  on-  and  off-prem), 
and  also  the  ability  to  provide  workflow 
that  controls  the  flow  of  messages. 

How  does  .Net  Services  access  control  fit 
with  the  Geneva  cloud  identity  platform? 


Geneva  is  the  codename  for  a  set  of  the 
technologies  we’re  releasing  in  the  future, 
across  both  server  (Geneva  server)  and 
framework  (Geneva  framework). We’re 
complementary  to  those  investments  by 
also  providing  the  cloud  component  of 
this,  completing  the  triangle. You  as  a 
developer  can  easily  build  “claims-aware” 
apps  (using  Geneva  fx),  easily  connect/- 
federate  identity  with  your  existing  on- 
prem  applications  (using  Geneva  server), 
and  if  you  want  to  connect  over  into  the 
cloud  (or  across  clouds)  then  .Net  Ser¬ 
vices  provides  the  cloud-based  identity 
federation  component. We  built  .Net 
Services  working  very  closely  with  the 
Geneva  team,  to  apply  the  same  claims- 
based  identity  model  deeply  across  the 
technologies  so  that  they  work  together 
very  well. 

What's  up  with  Oslo  and  has  it  material¬ 
ized  yet  with  .Net  Services  CTP? 

We  just  released  another  update  to  the 
[Oslo]  CTP  in  January  Oslo  is  part  of  .Net 
development.  We  see  Oslo  as  providing  a 
broad  platform  for  building  all  types  of 
apps,  and  helping  give  you  greater  pro¬ 
ductivity  by  applying  metadata  and 
model-driven  techniques.  It  turns  out  that 
one  of  the  sweet  spots  of  model-driven 
type  development  happens  to  be  for  the 
cloud  to  really  take  advantage  of  the  elas¬ 
ticity  and  scale  that  you  can  provide  in 
the  cloud,  we  use  lots  and  lots  of  model- 
driven  techniques  under  the  covers  in 
Azure.  So  it’s  only  natural  that  we  would 
apply  our  Oslo  platform  investments  at 
some  point  to  highlight  the  different  types 
of  cloud  app  scenarios  that  customers 
want  to  build. This  is  something  we’ll  be 
talking  more  and  more  about  throughout 
the  year.  ■ 


■BIBB 
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there  is  a  critical  mass  for  something  to  be  sup¬ 
ported,  we  will  support  it,”  says  Bogomil  Bal- 
kansky,  VMware’s  vice  president  of  product 
marketing. 

DiDio  calls  the  issue  a  “tricky  tap  dance  that 
all  the  vendors  are  playing.  They  don’t,  in  any 
way  shape  or  form,  want  to  support  other  peo¬ 
ple’s  platforms.  However,  given  that  it’s  a  buyer’s 
market  they  can’t  appear  to  be  too  recalcitrant, 
because  the  customers  will  push  back  and  say 
‘hey  you  don’t  care  about  us.’” 

VMware  scales  up 

Balkansky  says  the  goal  of  the  cloud  operat¬ 
ing  system  is  to  turn  IT  into  a  pay-as-you-go  ser¬ 
vice  that  is  always  available  through  a  Web  por¬ 
tal.  VSphere  aggregates  all  the  virtualized  x86 
components  of  the  data  center  and  gives  the  IT 
administrator  greater  control  over  service  lev¬ 
els,  he  says. 

VSphere  will  let  customers  create  a  single 
computing  pool  consisting  of  as  many  as  32 
physical  servers  and  2,048  processing  cores, 
1, 280 VMs, 32TB  of  RAM,  16  petabytes  of  storage 
and  8,000  network  ports,  according  to  VMware. 

Compared  with  VMware  Infrastructure  3, 
vSphere  will  double  the  processors  available  to 
VMs,  more  than  double  the  network  interface 
cards  available  to  VMs,  quadruple  memory, 


triple  network  throughput,  and  double  max¬ 
imum  I/O  operations  per  second  to  more  than 
200,000. 

Thin  provisioning  technology  will  cut  storage 
needs  in  half,  and  other  improvements  will  let 
customers  consolidate  onto  fewer  physical 
servers  and  save  on  power  and  cooling.  A  Dis¬ 
tributed  Power  Management  system  will  use 
VMotion  live  migration  to  automatically  place 
VMs  on  as  few  servers  as  possible  while  pow¬ 
ering  down  physical  boxes  that  aren’t  needed. 
Live  migration  of  VMs  and  storage  has  been 
enhanced  to  make  it  easier,  DiDio  says 

New  fault  tolerance  capabilities  will  guaran¬ 
tee  failover  with  zero  data  loss  and  zero  down¬ 
time  in  the  case  of  hardware  failure,  Balkansky 
says.  This  is  an  improvement  over  today’s 
VMware  high-availability  software,  in  which 
failing  over  requires  about  a  two-minute  ser¬ 
vice  interruption,  he  says. 

Pund-IT  analyst  Charles  King  says  VSphere, 
coupled  with  a  new  EMC  Symmetrix  storage 
system  designed  for  virtual  data  centers,  is  a 
step  forward  in  cloud  computing  technology 

“Frankly,  the  cloud  is  something  that  cannot 
exist  without  virtualization,”  King  says.  With 
EMC’s  new  system  highlighting  the  importance 
of  mapping  virtual  servers  to  the  supporting 
storage  environment,  “that’s  a  place  where  the 
two  companies  working  together  can  provide 
a  very  interesting  and  very  powerful  value 
proposition,”  he  says. 


As  with  any  new  IT  product,  there  are  limita¬ 
tions  in  vSphere. The  ability  to  federate  the  in¬ 
ternal  data  center  with  those  of  cloud  pro¬ 
viders  will  not  be  available  until  later  this  year. 
This  federation  will  let  customers  manage  in¬ 
ternal  and  external  resources  from  the  same 
pane  of  glass,  but  it  will  only  work  with  the 
products  of  vendors  who  are  using  vSphere. 

VMware’s  cloud  partners  include  more  than 
500  service  providers  such  as  Terremark, 
Sawis, Telefonica, T-Systems,SunGard  and  Blue- 
Lock.  But  the  list  does  not  include  Amazon, 
one  of  the  most  popular  vendors  offering  stor¬ 
age  and  compute  services  over  the  Internet 
cloud. 

Microsoft  has  criticized  VMware  for  making 
its  products  too  expensive,  an  issue  VMware 
addressed  with  vSphere  by  offering  additional 
pricing  options  to  lower  the  point  of  entry 
Packages  for  small  IT  shops  start  at  $166  per 
processor.  Last  year,  VMware  made  its  basic 
hypervisor  free,  but  still  charges  for  the  man¬ 
agement  tools  that  help  data  centers  realize  all 
the  flexibility  benefits  of  virtualization. 

Adding  lower  pricing  tiers  is  a  smart  move, 
DiDio  says.  “As  server  virtualization  becomes 
more  commoditized  they  had  to  do  it,  and  not 
just  because  of  Microsoft.  Citrix  has  had  price 
declines  too.  You  have  to  battle  market  pres¬ 
sure,  especially  when  there  is  more  competi¬ 
tion  and  you  know  the  competition  is  gunning 
for  you.”  ■ 


The  FBI  as  an  ethical  hacker? 


More  details  are  emerging  about  how  the 
FBI  engages  in  hacking  and  the  planting 
of  spyware. 

This  story  goes  back  to  at  least  2001  when 
Bob  Sullivan  of  MSNBC  and  Ted  Birdis  of  AP 
broke  the  story  of  Magic  Lantern.  At  the  time 
the  FBI  did  not  want  to  say  much,  but  now 
there  is  real  information  that  clears  up  some 
things  and  reinforces  real  concerns  over  this 
approach. 

Law  enforcement  is  faced  with  some  very 
hard  problems  when  it  tries  to  find  and  get  evi¬ 
dence  on  bad  guys.There  are  a  lot  of  tools  that 
you  and  1  can  use  to  make  the  Internet  safer  when  doing  business  on 
the  ‘Net  or  to  protect  our  privacy  if  we  need  to  blow  the  whistle  on 
someone  or  communicate  with  a  support  group. You  should  be  using 
encryption  on  your  own  computer  so  that  your  personal  or  business 
records  are  not  compromised  if  your  computer  is  stolen.You  can  use 
anonymizing  proxies  or  anonymizing  networks  if  you  are  a  dissident 
living  in  a  repressive  society  or  would  like  to  visit  a  mental  health  sup¬ 
port  group.  These  are  important  tools  when  used  by  the  good  guys,  but 
make  life  harder  for  law  enforcement  when  used  by  the  bad  guys. 

Though  note  that  both  of  these  technologies  are  far  too  important  to 
give  up  just  to  make  law  enforcement’s  job  easier. 

Still,  law  enforcement  needs  to  overcome  tools  of  this  type  if  they  are 
to  catch  the  people  they  are  after. This  is  where  Magic  Lantern,  and  its 
less  prosaically  named  successor, “Computer  &  Internet  Protocol 
Address  Verifier”  (CIPAV),come  in. These  systems  are  officially  sanc¬ 
tioned  spyware,  theoretically  only  used  when  permitted  by  the  courts 
(in  the  United  States  at  least). 

Wired.com  was  able  to  get  a  bunch  of  documents  on  CIPAV  under 


the  Freedom  of  Information  Act  that  help  to  explain  it.  After  being  sur¬ 
reptitiously  installed  on  your  computer  by  exploiting  some  software 
bug,  CIPAV  sends  the  FBI  information  about  your  computer  then  starts 
monitoring  computer  activity  (software  like  this  is  used  by  bad  guys  to 
steal  your  bank  account  passwords).  In  this  case,  the  FBI  can  use  it  to 
find  your  encryption  keys.  Also,  because  your  computer  sends  its  actual 
location  and  other  information  directly  to  an  FBI  computer,  using  an 
anonymizing  proxy  will  not  hide  you.  (But  something  like  Little  Snitch 
may  let  you  know  that  something  funny  is  going  on.) 

CIPAV  is  a  useful  tool  for  law  enforcement  and,  assuming  it  is  prop¬ 
erly  applied,  good  for  society  But,  even  making  the  assumption  that 
CIPAV  will  always  be  properly  applied,  there  are  real  problems  with  it. 

The  FBI  depends  on  exploiting  software  bugs  to  install  CIPAV  I  would 
like  my  software  vendors  to  fix  bugs  that  would  let  in  spyware  even  if  it 
makes  life  hard  for  the  FBI.  I  hope  that  the  software  vendors  are  not 
leaving  bugs  unfixed  or  purposeful  back  doors  just  to  help  the  FBI, 
because  sooner  or  later  the  bad  guys  will  find  them  and  exploit  them. 

Also  I’d  like  my  antispyware  software  to  find  and  report  on  all  spy- 
ware,  but  there  have  been  reports  that  some  antispyware  companies 
have  agreed  to  ignore  the  FBI  tool. This  provides  a  great  opportunity  for 
spyware  developers  to  create  software  that  looks  enough  like  the  FBI 
program  so  that  the  antispyware  software  will  ignore  it  as  well. 

I  do  not  know  what  the  right  answer  is  to  law  enforcement’s  prob¬ 
lems,  but  I  would  like  it  not  to  facilitate  bad  guys  taking  over  machines 
all  over  the  world. 

Disclaimer:  Facilitating  bad  guys  is  not  an  explicit  Harvard  goal,  but 
one  cannot  control  one’s  graduates.  Harvard  has  not  expressed  an 
opinion  on  CIPAV  that  I  know  of,  so  the  above  review  is  mine. 

Bradner  is  Harvard  University's  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com. 
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various  applications  at  affordable  prices,  King 
says.  “In  the  months  following  the  bust,  there 
was  a  huge  amount  of  Sun  product  that  was 
out  on  the  street  and  it  precluded  the  need  for 
people  to  upgrade  or  purchase  new  equip¬ 
ment,”  he  says. 

Sun  prized  its  Sparc  architecture  so  much 
that  it  missed  the  industry-wide  transition  to 
x86  processors,  analysts  say  Sun  actually  did 
sell  x86-based  systems  in  the  1980s,  but  con¬ 
centrated  its  efforts  on  Sparc  for  most  of  the 
1 990s.  In  King’s  view, Sun  treated  x86  systems  as 
nice  toys,  but  not  platforms  that  could  be  used 
to  power  a  serious  corporate  data  center.  Sun 
did  increase  its  presence  in  the  x86  market  in 
the  years  following  the  dot-com  bust  with 
AMD-  and  Intel-based  servers,  but  it  seems  to 
have  been  too  little,  too  late. 

The  biggest  reason  for  Sun’s  downfall  is  “the 
inability  to  recognize  the  x86  open  archi¬ 
tecture,  as  opposed  to  what  they  were  sell¬ 
ing  with  the  Sparc  processors,”  says 
Enterprise  Strategy  Group  analyst  Brian 
Babineau. 

Babineau  also  faults  Sun  for  pursuing  a 
“non-capitalistic  strategy”  by  emphasizing 
open  source,  yet  failing  to  monetize  key  prod¬ 
ucts  such  as  Java. 

King  and  Babineau  point  to  failed  acquisi¬ 
tions.  King  notes  Sun’s  $2  billion  purchase  of 
Cobalt  Networks,  a  server  appliance  vendor 
that  never  produced  any  real  dividends. 

Sun  has  attempted  to  compete  in  many  dif¬ 
ferent  hardware  and  software  markets,  but  is 
too  often  in  third  or  fourth  place,  Babineau 
says.  Sun  bought  MySQL  for  $1  billion  in  2008, 
for  example,  challenging  the  database  market 
where  Oracle  was  already  king.  Sun  also  exe¬ 
cuted  poorly  in  the  storage  market  after  pur¬ 
chasing  the  vendor  StorageTek  for  $4.1  billion 
in  2005,  Babineau  says. 

“There  was  just  mismanagement,”  he  says. 
“They  purchased  so  many  different  things  over 
the  years.  It  was  panic  and  frantic  at  the  end.” 

Following  the  dot-com  crash,  Sun’s  profits 
took  an  immediate  dive.  After  reporting  net 
income  of  $1.85  billion  in  fiscal  2000,  that 
number  was  halved  to  $927  million  in  2001. 
Sun  lost  $628  million  in  fiscal  2002  and  a 
whopping  $2.4  billion  in  fiscal  2003.  It 
returned  to  profitability  in  fiscal  2007,  but  ulti¬ 
mately  the  company  reported  net  losses  in 
three  of  the  four  most  recent  quarters,  and 
the  sharks  started  circling.  IBM  offered  $7  bil¬ 
lion  to  buy  Sun,  only  to  be  rebuffed.  Several 
analysts  doubted  that  Sun  could  find  another 
buyer  after  rejecting  IBM,  but  then  Oracle 
came  calling. 

One  reason  Sun  couldn’t  go  on  in  its  present 
form  is  that  the  company  had  a  core  group  of 
loyal  customers  but  wasn’t  able  to  win  many 
new  accounts,  King  says.  And  for  many  years, 
when  Sun’s  customers  wanted  a  reliable  x86 
platform  they  had  to  turn  to  Sun’s  competitors. 

“The  history  of  the  Valley  is  littered  with  the 


27  years  of  Sun 


1982:  Sun  is  founded  by  Vinod  Khosla,  Bill  Joy,  Andy 
Bechtolsheim  and  Scott  McNealy,  and  introduces  its 
first  Unix  workstation  product. 

1984:  John  Gage,  Sun's  fifth  employee,  coined  the 
phrase  "The  network  is  the  computer.” 
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1985:  Sun  designs  first  Sparc  processors. 
Khosla  leaves  Sun  to  join  a  venture  capital 
firm. 


1986:  Sun  goes  public  with  successful  IPO, 
extends  operations  to  Asia  and  Australia,  having 
already  set  up  shop  in  Europe. 

1987:  Sun  and  AT&T  form  alliance  to  develop  Unix 
technology. 

1988:  Sun  hits  $1  billion  in  revenue. 

1990:  Sun  engineers  begin  working  on  Java. 

1991:  Sun  debuts  Solaris,  a  Unix-based  " 
operating  system. 

1995:  Sun  brings  Java  to  market.  In  the 

same  year,  Bechtolsheim  leaves  Sun  to  found  switching 

company  Granite  Systems,  later  acquired  by  Cisco. 


dried  husks  of  companies  that  had  great  tech¬ 
nology  but  didn’t  understand  the  dynamics  of 
the  commercial  market  they  were  trying  to 
compete  in,”  King  says. 

That’s  not  to  say  Oracle  won’t  be  able  to  gain 
success  with  Sun’s  technology  While  Sun  has 
failed  to  maintain  profitability,  the  company 
did  pull  in  more  than  $3  billion  in  revenue  in 
the  most  recent  quarter. 

Oracle  is  touting  Java  and  Solaris  as  two  key 
software  assets  that  will  help  Oracle  and  Sun 
turn  a  larger  profit  than  they  could  separately 
Oracle,  which  is  expected  to  significantly 
reduce  Sun’s  expenses,  predicted  that  Sun  will 
bring  $1.5  billion  in  operating  profit  in  its  first 
year  as  part  of  the  combined  company 

“Java  is  one  of  the  computer  industry’s  best- 
known  brands  and  most  widely  deployed  tech¬ 
nologies,  and  it  is  the  most  important  software 
Oracle  has  ever  acquired,”  Oracle  said.'The  Sun 
Solaris  operating  system  is  the  leading  plat¬ 
form  for  the  Oracle  database.  With  the  acquisi- 


1997:  Sun's  new  64-processor 
Enterprise  10000  servers  boast 
the  "processing  power  of  four 
mainframes." 

September  2000:  Sun  uses  $2  billion  of  stock  to 
acquire  Cobalt  Networks,  a  maker  of  Linux-based 
server  appliances.  The  deal  was  a  failure,  with  Sun 
retiring  the  product  line  three  years  later. 

2003:  Sun  begins  developing  AMD-based  x86 
servers. 

August  2005:  Sun  purchases 
StorageTek  for  $4.1  billion. 

April  2006:  Jonathan  Schwartz 
takes  over  CEO  role  from  Scott 
McNealy,  who  remains  chairman  of 
the  company. 

November  2006:  Sun  open  sources  the  bulk 
of  Java. 

February  2008:  Sun  purchases  MySQL  open  source 
database  company  for  $1  billion. 

October  2008:  Bechtolsheim,  who  had  returned  to 
Sun  as  chief  architect,  takes  full-time  role  with 
Ethernet  switching  start-up  Arista  Networks  but 
keeps  an  advisory  role  at  Sun. 

,  v  November  2008:  Sun  unveils  Amber 
Road  iSCSI  storage  appliances  that 
combine  standard  hard  drives  with 
flash  memory. 

April  20, 2009:  Oracle  announces  agreement  to 
purchase  Sun  for  $7,4  billion. 


ORACLe 


tion  of  Sun,  Oracle  can  optimize  the  Oracle 
database  for  some  of  the  unique,  high-end  fea¬ 
tures  of  Solaris.” 

With  Oracle  seemingly  most  excited  about 
Sun’s  software  platforms,  Babineau  speculates 
that  Oracle  might  sell  off  the  hardware  busi¬ 
ness.  Other  analysts  say  Oracle  should  leverage 
its  new  hardware  capabilities  with  data  ware 
housing  appliances  that  integrate  MySQL  and 
other  Oracle  databases  into  Sun  servers. 

On  the  whole,  Oracle’s  announcement  of  the 
purchase  was  “remarkably  devoid  of  detail,” 
King  says,  so  it’s  tough  to  say  what  the  com¬ 
bined  company  will  look  like.  Oracle  and  Sun 
had  such  tight  partnerships  already  that  dra¬ 
matic  changes  may  be  the  exception  rather 
than  the  rule,  he  says. 

“Frankly  Oracle  and  Sun  have  worked  very 
closely  for  the  better  part  of  two  decades  and  I 
don’t  really  see  what  the  companies  will  be 
able  to  do  as  a  single  organization  that  they 
haven’t  already  done,”  King  says.B 
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Burning  security  questions 

Addressing  employee  monitoring,  security  automation,  mobile  computing 


BY  ELLEN  MESSMER 

There’s  no  shortage  of  burning  questions 
about  IT  security  these  days,  some  sparked  by 
nasty  threats,  others  by  economic  concerns 
and  some  by  growing  use  of  social  networking 
sites  and  cloud  computing. 

We  spoke  to  about  two  dozen  experts  —  IT 
customers,  analysts  and  vendors  —  to  nail 
down  some  answers: 


ICan  you  no  longer  avoid  closely 
monitoring  employees? 

I  The  insider  threat  has  always  exist¬ 
ed,  but  in  an  era  of  economic  upheaval  and 
uncertainty  the  problem  is  magnified.  That 
point  came  across  in  a  recent  Ponemon 
Institute  survey  of  945  individuals  who  were 
laid  off,  fired  or  quit  their  jobs  during  the  last 
year,  with  59%  admitting  to  stealing  company 
data  and  67%  using  their  former  company’s 
confidential  information  to  leverage  a  new  job. 


■  m  How  far  should  IT  managers  go  to 
f  protect  corporate  data? 

“There’s  a  balance,”  says  Max 
Reissmueller,  senior  manager  of  IT  operations 
and  infrastructure  at  Pioneer  Electronics, 
based  in  Long  Beach,  Calif.  “I  wouldn’t  want 
managers  coming  to  me  to  keep  an  eye  on  a 
particular  employee,  wondering  what  they  are 
doing  every  minute.” 

At  the  same  time,  Pioneer  is  determined  to 
protect  its  intellectual  property  customer  ser¬ 
vice  lists  and  other  sensitive  data. 

“I  don’t  want  a  disgruntled  employee  trying 
to  take  a  bunch  of  information,”  Reissmueller 
says.That’s  a  main  reason  the  firm  has  installed 
network-access  control  (NAC)  gear  to  monitor 
traffic  to  the  “crown  jewels”  and  to  keep  an  eye 
on  whether  employees  are  trying  to  overstep 
their  authority 

Using  a  ConSentry  switch  and  NAC  product, 
Pioneer  will  watch  for  patterns  that  might 
reveal  wrongful  behavior  and  block  it.  “But  I 
don’t  want  my  security  staff  to  become  Big 
Brother^  Reismueller  says. 

All  it  takes  is  a  data-leakage  case  to  compel 
organizations  to  beef  up  their  monitoring. 

The  University  of  Arizona  went  through  a  few 
data-leak  imbroglios  in  which  it  had  to  make 
public  notification  about  exposed  personal 
data, says  Eric  Case,  the  university’s  information 
security  officer. 

That  induced  the  university’s  information 
and  security  office  to  kick  off  a  program  that 
involved  making  sure  that  faculty  staff  weren’t 
leaving  sensitive  data  lost  and  forgotten  in 
computers. 

To  determine  that,  the  university  has 
deployed  data-leak  prevention  (DLP)  freeware 
called  Spider  that  can  go  out  and  look  into  a 


targeted  machine  to  see  if  it’s  holding  data  that 
shouldn’t  be  there  in  order  to  either  delete  it  or 
move  it  to  a  more  secure  server.  Although  the 
security  staff  did  explain  in  depth  what  it  was 
up  to,  “we  had  a  couple  of  people  freaked  out 
because  we  were  looking  at  their  files,”  Case 
says,  speaking  about  the  topic  at  the  recent 
Infosec  World  conference  in  Orlando. 

But  after  calming  people  down,  the  DLP 
process  had  to  proceed  because  “we  know  we 
have  data  all  over  the  place,”  Case  says. “Have 
we  reduced  our  threat  surface?  Quite  a  lot.” 

Rick  Haverty  director  of  IS  infrastructure  at 
the  University  of  Rochester  Medical  Center, 
says  laws  and  regulations  regarding  patient 
healthcare  information  leave  no  choice  but  to 
confront  instances  where  it  appears  employ¬ 
ees  may  have  broken  rules.  One  concern  is  an 
employee  taking  a  sneak  peek  at  someone’s 
medical  records  without  cause. 

“People  have  been  fired  for  this,”  he  notes, 
adding  that  the  start  of  an  investigation  usually 
involves  a  complaint  about  someone  gossiping 
about  a  patient’s  medical  circumstances.  An 
investigation  would  generally  involve  examin¬ 
ing  log  records  to  determine  whether  inappro¬ 
priate  access  to  records  may  have  occurred. 

Gartner  analyst  John  Pescatore  says  the  key 
word  to  think  about  is  how  “closely”  to  monitor 
employees. 

“There  is  definitely  a  requirement  to  monitor 
critical  business  data  leakage  from  employees, 
and  a  requirement  to  monitor  what  comes  into 
their  PCs  to  prevent  malware,”  Pescatore  says. 
“However,  in  the  real  world,  there  is  less  of  a 
need  to  monitor  every  action  a  user  takes, 
block  them  from  every  Web  site  that  is  not 
work-related,  or  try  to  keep  them  from  using 
their  work  PC  for  anything  but  work,  or  keep 
them  from  using  their  home  PC  for  work.” 

The  trend  toward  work/home  mixing  is 
underway  and  “security  can’t  stop  this  any 
more  than  it  could  stop  the  Internet,  wireless 
LANs  or  other  previous  trends,”  he  says. 


3  Should  you  choose  a  strategic  secu¬ 
rity  vendor  or  shoot  for  best  of 
I  breed? 

A  huge  debate  these  days  is  whether  to  select 
a  strategic  security  vendor  to  provide  the  major¬ 
ity  of  security  products  and  services,  or  opt  to 
evaluate  point  products,  including  those  from 
start-ups,  with  an  eye  toward  best  of  breed. 

“My  tendency  is  to  lean  toward  a  strategic 
vendor  if  we  can,”  says  Rick  Haverty,  director  of 
IS  infrastructure  at  the  University  of  Rochester 
Medical  Center  in  New  York,  which  includes 
hospitals  and  medical  research  centers.  Cisco 
is  the  strategic  networking  vendor  for  URMC, 
and  using  IronFbrt,  Cisco’s  Web-filtering  appli¬ 
ance,  solidifies  URMC’s  business  clout  with 


Cisco,  Haverty  says. 

But  he  adds  he  doesn’t  yet  see  the  benefit  of 
product  integration  that  choosing  a  strategic 
security  vendor  is  supposed  to  bring, such  as  a 
common  management  console,  in  Cisco  net¬ 
working  and  security  products. 

“They’re  just  not  there  yet,”  he  says. 

URMC  also  looks  for  point  products  to  meet 
the  organization’s  needs,  turning  to  vendors 
such  as  Voltage  for  e-mail  encryption  with  busi¬ 
ness  partners  and  Check  Fbint  for  its  PointSec 
whole-disk  encryption  for  the  desktop.  Haverty 
says  he  knows  he  has  to  be  pragmatic  in  mak¬ 
ing  choices  about  enterprise  security 

Brad  Blake,  director  of  IT  at  Boston  Medical 
Center,  says  the  outlook  at  the  healthcare 
provider  he  works  for  is  to  buy  best  of  breed  for 
clinical  applications  but  focus  on  a  strategic 
vendor  —  or  two  —  for  security 

The  main  reason  is  the  strategic  security  ven¬ 
dor  approach  can  help  stretch  a  budget  and 
gain  the  advantage  of  a  common  management 
platform,  he  says. 

Boston  Medical  Center  considers  McAfee  a 
strategic  vendor  because  it  makes  use  of  the 
vendor’s  large  portfolio  of  security  products 
and  its  ePolicy  Orchestrator  console  to  manage 
them.ArcSight  is  also  considered  a  critical  ven¬ 
dor  because  its  security  information  manage¬ 
ment  platform  can  combine  log  data  from 
many  sources  for  analysis. 

Although  Boston  Medical  Center  is  a  “Cisco 
shop,”  the  healthcare  provider  hasn’t  been 
impressed  enough  with  Cisco’s  service  to  war¬ 
rant  expanding  into  Cisco  security  products. 

George  Japak,head  of  ICSA  Labs,  which  tests 
a  wide  variety  of  security  products,  says  Cisco 
is  layering  security  such  as  antivirus  and  fire¬ 
walls  into  switches  and  routers.  Increasingly, 
the  larger  Fortune  2000  companies  reliant  on 
Cisco  gear  are  choosing  Cisco  as  their  strategic 
security  vendor  as  well  as  a  way  to  reduce 
complexity  in  their  networks. 

But  he  argues  that  strategic  security  vendors 
can’t  be  given  an  easy  pass  and  “have  to  be 
held  accountable”  on  every  security  function 
they’re  given. 

“You  can  have  a  primary  security  vendor  but 
keep  other  vendors  in  play  don’t  preclude 
other  vendors,”  Japak  says. 

Gaby  Dowling,  manager  of  IT  security  at  law 
firm  Proskauer  Rose,  believes  it  isn’t  logical  to 


ONLINE:  More  questions 

Read  through  two  more  questions  we 
pondered  from  the  security  realm. 

www.nwdocfinder.com/9730 
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continued  from  page  18 

consider  anything  “strategic”  if  the  vendor  and 
the  product  can’t  rapidly  adapt  to  a  changing 
threatscape.“Just  because  products  come  from 
the  same  vendor  doesn’t  mean  they  integrate 
well  in  my  experience,”  she  says. 

4  Can  security  processes  finally  be 
automated? 

I  Automation  of  security 
is  a  concept  with  momentum  this 
year  as  some  of  the  larger  federal 
agencies,  including  the  Department 
of  Defense,  the  National  Security 
Agency,  the  Department  of  Agri¬ 
culture  and  Energy, are  pushing  for  a 
new  direction  beyond  the  current 
F1SMA  audit  mandate  for  compli¬ 
ance.  They  want  Congress  and  the 
Obama  administration  to  consider 
adopting  the  Consensus  Audit 
Guidelines,  a  set  of  20  security  tech¬ 
nical  controls  that  encourage 
automation. 

But  can  security  processes  be 
automated? 

Areas  considered  technically 
mature,  such  as  scanning  and  intru¬ 
sion  prevention,  can  be  automated, 
says  Gartner  analyst  John  Pescatore. 

“But  since  the  threat  and  technology 
environments  change  rapidly  in  the 
real  world  security  automation  is 
limited.  It  is  great  to  talk  about  but 
for  real  companies,  the  actual  busi¬ 
ness  benefit  is  limited,”  he  says. 

However,  some  IT  managers  say 
they  are  reluctant  to  make  purchas¬ 
es  in  security  products  and  services 
unless  it  contributes  to  automation. 

“We’re  completely  automated  as 
far  as  the  ID  creation  is  concerned,” 
says  Mike  Ruman,  enterprise  com¬ 
munications  and  messaging  manag¬ 
er  at  Grant  Thornton,  an  accounting 
firm  with  more  than  50  offices  and 
6,000  employees.  Automated  provi¬ 
sioning  can  create  a  user  ID  in  eight 
minutes  and  assign  that  individual 
to  security  groups  based  on  job 
code  and  department,  he  says. 

The  firm  uses  Imanami’s  GroupID 
provisioning  to  synchronize  with 
human  resources  and  departmental 
databases,  as  well  as  Microsoft’s  Active 
Directory  to  update  employee  online  privileges 
every  two  hours. 

“If  there  are  changes.it  keeps  the  information 
updated  and  user  access  might  be  closed,” 
Ruman  says.  The  weak  link  in  the  chain  — 
which  he  saw  happen  once  —  was  HR  forget¬ 
ting  to  take  action  in  an  employee  termination. 

Ruman  notes  that  the  auto-provisioning 
process  in  place  also  helps  auditors  because 
it’s  simple  to  generate  reports.  One  of  the  main 
barriers  he’s  seen  to  security  automation  has 


been  company  politics,  particularly  “adminis¬ 
trator  turf  wars”  in  which  systems  administra¬ 
tors  squabble  over  tasks  that  are  often  manual. 

However,  skepticism  about  the  prospect  of 
automated  security  abounds. 

“Like  flying  cars,  people  have  been  waiting 
for  total  security  automation  for  years,”  says 
Tracy  Hulver,  executive  vice  president  for  mar¬ 
keting  and  products  at  NetForensics.a  maker  of 
security-event  management  products 
designed  to  help  automate  collection  of  secu- 
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rity  and  log  data. 

“Unfortunately,  that  is  something  that  is  still 
years,  if  not  decades,  away  from  being  real¬ 
ized,”  she  says,  adding  automation  has  helped 
with  some  aspects  of  security  response,  “but 
human  intervention  is  still  required  to  be  able 
to  respond  appropriately’ 
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sites 


How  scared  should  you  be  about 
security  statistics? 

@3  Did  you  know  the  number  of  Web 
infecting  PCs  with  password-stealing 


crimeware  reached  an  all-time  high  of  31,173 
in  December,  according  to  the  APWG  (former¬ 
ly  Anti-Phishing  Working  Group)  coalition? 

Or  that  data  breach  costs  rose  to  $6.6  million 
per  breach  last  year,  up  from  $6.3  million  in 
2007,  according  to  the  Fonemon  Institute.  Or 
that  3%  to  5%  of  enterprise  desktops  and 
servers,  mainly  Windows,  are  apt  to  be  infected 
with  botnet  code,  according  to  security  firm 
Damballa,  based  on  an  analysis  of  its  cus¬ 
tomers’  network  traffic. 

News  reports  are  filled  with  such 
disturbing  statistics,  but  do  IT  man¬ 
agers  find  themselves  worrying 
about  it  all? 

“We  all  pay  a  little  bit  of  attention,” 
says  Jeff  Keahey  CIO  at  Wardlaw 
Claims,  a  Waco,  Texas,  property  and 
auto  claims  insurance  adjuster.  “But 
we  try  to  evaluate  their  bias.” 

In  general,  it  usually  looks  like 
someone  is  trying  very  hard  to  “get 
you  to  lean  toward  a  certain  prod¬ 
uct”  and  “a  lot  of  statistics  come  with 
an  advertisement  in  towf  he  notes. 

Though  he  does  take  it  all  with  a 
grain  of  salt,  Keahey  says  he  may 
look  at  statistics  as  a  general  guide¬ 
line  about  trends,  and  they  may  have 
some  influence  in  deciding  direc¬ 
tions  to  take  in  countering  threats. 

One  vendor,  Cloudmark,  which 
makes  e-mail  security  products,  dis¬ 
counts  the  importance  of  security 
statistics  that  pop  up  in  media 
reports. 

“An  organization  should  be 
focused  far  more  on  their  own  inter¬ 
nal  metrics  for  determining  their 
security  posture,  rather  than  on  out¬ 
side  statistics,” says  Adam  O’Donnell, 
director  of  emerging  technologies  at 
Cloudmark. 

However,  Unisys,  a  systems  integra¬ 
tor,  begs  to  differ. 

Unisys  over  the  last  two  years  has 
undertaken  a  semi-annual  survey  of 
about  14,000  individuals  in  13  coun¬ 
tries,  asking  them  eight  questions 
about  their  perception  of  personal, 
financial  and  national  safety  online. 

For  businesses  concerned  about 
what  consumers  are  thinking,  the 
results  are  one  factor  to  consider, 
Unisys  contends,  pointing  to  the 
value  of  statistics. 

“It’s  fascinating  to  see  how  different  the 
results  are  by  country  and  demographics,”  says 
Tim  Kelleher,  vice  president  and  general  man¬ 
ager  of  managed  security  services  at  Unisys. 
“The  world  isn’t  homogenous.  In  France,  no 
one  is  very  worried  about  this  stuff  at  all.  But  in 
Brazil  and  some  of  the  Asian  countries,  people 
are  feeling  very  insecure  online. The  U.S.  is  sort 
of  in  the  middle.” 

In  general,  Kelleher  thinks  statistical  trends 
are  more  significant  than  the  numbers 
bandied  about  at  the  moment.  ■ 
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In  his  keynote  address  at  RSA,  Cisco  CEO  John  Chambers  called  cloud  security  a 
nightmare,  saying  it  cannot  be  handled  in  traditional  ways. 


RSA 

continued  from  page  1 

Its  OfficeScan  client-server  suite  relies  on 
servers  in  Trend’s  network  to  check  the  reputa¬ 
tions  of  files,  Web  content  and  e-mail  rather 
than  relying  on  desktop  protection,  which  may 
not  be  up-to-date. 

Similarly  McAfee’s  CEO  Dave  DeWalt  during 
his  keynote  address  announced  his  company’s 
road  map  toward  predictive  security  cloud- 
based  sharing  of  threat  intelligence  among  dif¬ 
ferent  categories  of  security  devices  to  find 
and  block  malicious  activity  sooner  than  tradi¬ 
tional  methods. 

Network  services  provider  Sawis  launched  a 
Web  application  firewall  service  based  on  a 
choice  of  Imperva  WAF  appliances  or  virtual 
instances  of  its  software  that  reside  between 
the  Internet  and  its  network.  Sawis  said  it 
thinks  customers  comfortable  with  its  software 
as-a-service  offerings  will  also  embrace  cloud- 
based  security 

Arthur  Coviello,  president  of  conference 
sponsor  RSA,  said  his  company’s  cooperation 
with  Cisco  and  Microsoft  will  result  in  com¬ 
mon  language  to  enable  the  sharing  of  intelli¬ 
gence  about  data-loss  threats  in  the  cloud  as 
well  as  within  corporate  networks. 

Nevertheless,  defensive  measures  lag  far  be¬ 
hind  the  known  vulnerabilities  of  public  cloud 
computing  services,  according  to  customer-dri¬ 
ven  groups  trying  to  deal  with  the  problems. 

During  RSA,  two  major  cloud-security  groups 
—  one  primarily  based  in  the  United  States 
and  one  European  —  informally  joined  forces 
to  pressure  vendors  to  do  more. 

The  Cloud  Security  Alliance  (CSA)  used  the 
show  as  a  platform  to  launch  its  efforts  to  stan¬ 
dardize  security  for  cloud  computing  with  the 
release  of  its  “Security  Guidance  for  Critical 
Areas  of  Focus  in  Cloud  Computing”,  an  83- 
page  document  detailing  15  areas  of  security 
concern. 

Later  that  same  day  the  Europe-based  group 
Jericho  Forum  served  up  an  outline  of  threats 
it  perceives. 

Chris  Hoff,  a  security  consultant  who  wrote 
the  architecture  section  of  the  CSA  paper, 
shuttled  from  that  group’s  launch  over  to  the 
nearby  Jericho  Forum  event  to  support  its 
effort,  which  he  says  overlaps  very  closely 
with  that  of  CSA.  “Your  concepts  make 
sense,”  he  said. 

The  groups, which  tout  members  that  include 
large  corporations  such  as  Eli  Lily  eBay  and 
1NG,  need  to  use  their  influence  as  major  cus¬ 
tomers  to  demand  products  that  address  cloud 
threats,  Hoff  said.“It’s  the  large  end-user  organi¬ 
zations  that  will  drive  it,”  he  said  of  the  cloud- 
security  standardization  push. 

There  are  plenty  of  standards  needed,  at  least 
judging  from  the  15  cloud-security  conference 
sessions  dedicated  to  discussing  them,  but  that 
isn’t  slowing  the  adoption  of  public  cloud  ser¬ 
vices,  according  to  experts  at  the  event. 

In  fact,  widespread  adoption  of  cloud  com¬ 
puting  services  is  unstoppably  underway, 


according  to  a  Deloitte-Ponemon  Institute  sur¬ 
vey  released  at  RSA.  Nearly  45%  of  respondents 
have  already  bought  cloud  computing  services 
and  22%  say  they  are  considering  them,  accor¬ 
ding  to  the  survey. “Outsourced  cloud  is  here,” 
said  Rena  Mears,  partner  and  leader  with 
Deloitte’s  security  and  privacy  services,  who 
spoke  during  a  conference  session. 

The  downside  is  most  businesses  don’t  have 
a  plan  for  checking  to  see  if  their  cloud  service 
provides  the  security  it  promises, she  said,  leav¬ 
ing  the  customer  with  uncertain  security  but 
stuck  with  any  liability  should  private  customer 
data  be  compromised. 

Businesses  are  signing  up  for  cloud  services 
without  scrutinizing  the  contract  terms  written 
by  providers,  said  Randy  Sabett,a  privacy  attor¬ 
ney  with  the  firm  Sonnenschein  Nath  &  Rosen- 
thal.“There  is  a  shift  in  how  businesses  are  strik¬ 
ing  a  balance,”  he  said.  “What  do  we  weigh 
more,  cost  savings  or  legal  liability?  They  are 
deemphasizing  the  risk.” 

The  risk  comes  not  only  from  potential  data 
loss,  but  also  from  running  afoul  of  regulations, 
he  said.  For  example,  regulations  may  call  for 
encrypting  data  in  storage,  but  how  can  cus¬ 
tomers  know  whether  providers  encrypt  it  or 
not?  Regulations  vary  from  country  to  country 
so  how  can  a  provider  show  that  data  restrict¬ 
ed  to  a  particular  geographic  location  by  Euro¬ 
pean  Union  rules  is  staying  where  it’s  supposed 
to  be  within  its  multinational  cloud? 

Businesses  should  find  out  whether  contract¬ 
ed  services  are  being  provided,  perhaps  aided 
by  third-party  certification  that  clouds  meet  es¬ 
tablished  standards. 

In  a  private  briefing  during  RSA,  HP  said  the 
issue  of  certification  may  not  be  as  difficult  as 


it  seems.  Jim  Alsop,  vice  president  of  service 
delivery  operations  for  EDS,  which  is  owned  by 
HRsaid  the  company  is  considering  whether  to 
certify  cloud  provider  networks  as  secure. 

Control  Objectives  for  Information  and  Re¬ 
lated  Technologies  (COBIT),  a  standard  used 
by  many  corporations  to  meet  security  require¬ 
ments  of  the  Sarbanes-Oxley  Act,  could  fit  the 
bill,  Alsop  said. 

A  modified  version  of  the  Statement  on 
Auditing  Standard  70  (SAS  70)  might  also  be 
useful,  he  said. SAS  70  is  a  set  of  rules  set  down 
by  accountants  for  auditing  how  transactions 
are  processed  within  a  service  organization. 
Adapted  to  the  specifics  of  the  cloud,  it  could 
be  used  as  the  basis  for  a  standard.  ISO  27001, 
an  international  data  security  management 
standard, has  many  of  the  components  needed 
for  a  cloud  security  standard. 

Reliance  on  cloud  computing  services  is 
becoming  more  tempting  because  of  the  dra¬ 
matic  savings  it  can  produce,  but  that  requires 
checking  out  the  inner  workings  of  the  cloud, 
said  Renee  Guttman,  privacy  officer  for  Time- 
Warner.who  spoke  at  RSA.  Just  as  the  cloud  ser¬ 
vice  itself  lifts  tasks  from  her  staff,  she  wants  to 
hire  someone  to  help  with  those  security 
checks. 

“I  want  to  be  able  to  outsource  some  of  my 
due  diligence  on  a  model  that  allows  me  con¬ 
tinuous  monitoring  of  the  vendor’’  she  said. 
Such  third-party  verification  not  only  makes 
better  use  of  her  resources,  it  could  arguably 
perform  such  assessments  better  than  her  lim¬ 
ited  staff  could.  In  fact,  that  would  be  a  require¬ 
ment. 

“You’re  darned-tootin’ they  better  be  better  at 
it  than  I  am,” she  said.H 
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TECH  UPDATE 

An  inside  look  at  technologies  and  standards 


Getting  a  grip  on  key  rotation 


BY  BRIAN  TOKUYOSHI 

One  of  the  ways  to  turn  a  pleasant  dinner  conversation  among  CISOs 
and  risk  managers  into  a  philosophical  battleground  is  to  introduce 
the  topic  of  key  rotation,  which  is  defined  as  the  process  of  decrypt¬ 
ing  data  with  an  old  key  and  re-keying  the  data  with  a  new  one. 


There  are  many  conflicting  ideas  about  how 
much  key  rotation  is  necessary  how  far  it 
should  go,  and  how  often  it  should  be  done. 
But  it’s  easier  than  you  think. 

Modern  approaches  to  key  rotation  and  a 
better  understanding  of  security  threat  models 
enable  you  to  establish  a  good  balance  be¬ 
tween  practicalities  while  maintaining  good 
security  principles. 

In  the  past,  key  rotation  was  largely  perceived 
as  a  security  measure  to  defend  against  poten¬ 
tial  brute  force  attacks  on  cipher  text.  Because 
computer  power  increases  over  time, even  if  an 
attacker  doesn’t  have  the  means  to  brute  force 
a  key  today  it  could  be  possible  to  do  so  in  the 
future, so  organizations  periodically  re-encrypt¬ 
ed  data  with  stronger  keys. 

However,  a  modern  take  on  risk  management 
finds  that  re-encrypting  archived  data  is  often 
riskier  than  leaving  it  alone.  A  backup  tape  is 
probably  safer  in  a  secured  archived  location 
with  the  original  encryption,  because  the  pro¬ 
cess  of  retrieving  it  for  re-encryption  intro¬ 
duces  an  opportunity  for  misplacement. 
Because  of  this,  many  IT  managers  are  taking 
more  of  a  risk-based  approach  to  key  rotation 
instead  of  doing  it  out  of  habit. 

Key  rotation  is  valuable  but  it  should  be  done 
strategically  so  organizations  apply  efforts  in 
the  right  areas  instead  of  applying  the  same 


policies  unilaterally 

Another  benefit  is  risk  mitigation.  Periodically 
changing  keys  reduces  the  potential  data  loss  if 
the  key  is  lost  or  compromised. The  frequency 
of  key  rotations  varies  depending  on  many 
variables,  such  as  the  type  of  key  the  operating 
environment,  the  amount  of  data  encrypted, 
the  classification  of  the  data,  and  the  applica¬ 
tion  that  uses  the  key 

Compliance  laws  are  also  driving  companies 
to  reevaluate  their  key  rotation  policies  be¬ 
cause  encryption  is  a  focal  point  for  industry 
and  privacy  mandates.  But  it  is  critical  to  out¬ 
line  a  strategic  approach  to  key  rotation  issues 
and  tools  ahead  of  time.  The  National  Institute 
of  Standards  and  Technology  provides  defini¬ 
tions  of  appropriate  key  lengths  and  provides 
guidelines  for  how  long  keys  should  be  used. 
And  the  PCI  Data  Security  Standard  is  one  ex¬ 
ample  of  a  compliance  initiative  with  require¬ 
ments  for  encryption  key  rotations.  In  fact,  for 
some  companies  there  are  multiple  compli¬ 
ance  initiatives  that  need  to  be  supported 
simultaneously  which  adds  to  the  complexity 
and  frequency  of  key  changes. 

The  real  source  of  pain  for  IT  managers  is  the 
considerable  time  and  effort  that  each  key 
rotation  takes,  especially  when  dealing  with 
poorly  designed  key  management  tools  or 
even  home-grown  systems. 


Many  companies  find  that  encrypting  data  is 
easy  Maintaining  the  keys  is  the  hard  part  and 
is  often  the  area  overlooked  when  encryption 
projects  start.  What’s  worse,  the  pain  associated 
with  key  rotation  often  grows  over  time  be¬ 
cause  there  may  be  multiple  key  repositories, 
too  many  keys  to  manage,  and  too  few  re¬ 
sources  to  handle  the  rotation  manually 

The  amount  of  manual  effort  involved  in  han¬ 
dling  keys  is  attributed  to  the  quality  of  the 
management  tools  and  how  they  deal  with 
basic  services  such  as  provisioning,  key  storage 
and  workflow.  In  the  end,  homegrown  efforts  to 
satisfy  these  requirements  tend  to  be  inflexible, 
operationally  costly  and  brittle,  and  cannot  ad¬ 
dress  the  changing  encryption  landscape. 

The  way  to  address  these  issues,  both  for 
existing  key  rotation  problems  and  to  prevent 
new  ones  from  occurring,  is  to  establish  a  solid 
enterprise  key  management  infrastructure. 

Enterprise  key  management  provides  three 
primary  ways  to  address  key  rotation  chal¬ 
lenges.  First,  it  provides  visibility  into  the  state 
of  encryption  keys  across  multiple  key  reposi¬ 
tories.  This  is  important  because  it  eliminates 
the  problem  of  having  too  many  encryption 
key  silos  with  no  top  level  view  of  which  keys 
need  to  be  rotated. 

Second,  enterprise  key  management  pro¬ 
vides  the  tools  to  automate  the  process  for  key 
rotation,  so  whether  performing  one  key  rota¬ 
tion  or  a  hundred,  it  is  the  same  relative 
amount  of  effort.  With  automation,  security¬ 
conscious  industries  can  rotate  keys  daily  for 
sensitive  systems  that  support  things  such  as 
electronic  payments  and  point-of-sale  devices. 
Automation  tools  should  also  include  work- 
flow  to  ensure  that  internal  procedures  and 
processes  are  honored  along  the  way 

Third,  enterprise  key  management  ensures 
that  all  key  material  throughout  the  IT  environ¬ 
ment  stays  safe  and  within  the  expected  oper¬ 
ating  parameters.  This  includes  enforcement 
of  security  policy  which  ensures  keys  meet  cor¬ 
porate  guidelines  for  the  key  properties 
(length,  type,  time  to  live  and  so  on)  as  well  as 
for  related  services  (how  long  to  archive  the 
key  recovery  policies  and  so  on). 

It’s  time  for  CISOs  and  risk  managers  to  put 
aside  the  debates  about  key  rotation  and  get 
back  to  their  pleasant  dinner  conversations. 

Tokuyoshi  is  product  marketing  manager  at 
PGP  Corp. 


This  vendor- written  tech  primer  has  been 
edited  by  Network  World  to  eliminate  prod¬ 
uct  promotion,  but  readers  should  note  it 
will  likely  favor  the  submitter's  approach. 


Five  tips  to  tackle  the  key  rotation  problem 

1.  Don’t  go  overboard  —  take  a  risk-based  approach  to  key  rotation  and  examine  the 
market  requirements  and  see  if  key  rotation  is  really  solving  the  issue  that  it  was 
intended  to  address.  Apply  key  rotation  with  the  appropriate  measure. 

2.  Define  the  right  thing  to  do  —  Create  key  rotation  policies  appropriate  to  the  differ¬ 
ent  keys  in  use,  with  consideration  for  compliance  requirements  and  industry  guidelines. 

3.  Use  the  right  tools  —  Give  management  tools  consideration  when  doing  an  evaluation 
of  any  encryption  product.  Poor  management  tools  can  turn  even  a  good  application 
into  a  key  management  nightmare. 

4.  Manual  rotation  is  a  thing  of  the  past  —  automate  the  key  rotation  with  workflow  in 
an  enterprise  key  management  infrastructure. 

5.  Keep  an  eye  on  the  big  picture  —  Consider  an  infrastructure  that  can  manage  all 
types  of  keys,  including  symmetric  and  asymmetric.  Both  have  their  own  management 
and  rotation  policies  that  need  enforcement  and  automation. 
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Analyzing  Twitter  with  Excel,  Part  4 


Mark  Gibbs 


ver  the  last  three  weeks  I’ve  been  trying  to 
figure  out  how  to  analyze  Twitter  messages 
using  Excel  2003,  something  I  thought 
S  f  would  be  fairly  easy  but  it  turns  out  there  are  a 
■ "  number  of  “gotchas.”  The  goal  was  to  track  the 
GEARHEAD  buzz  about  a  specific  product  so  1  wanted  to 

retrieve  Tweets  that  included  the  product’s  name 
and  my  first  thought  was  to  look  for  the  historical 
data  . . .  which  proved  to  be  a  headache. 

While  the  Twitter  search  API  can  provide  a  news  feed  for  a  given  date 
range  you  only  get  the  newest  15  Tweets  in  that  period. This  isn’t  going 
to  be  of  much  use  if  there  was  a  real  buzz  about  the  product. 

So,  if  you  want  all  the  Tweets  for  a  given  period  the  only  choice  is  to 
get  the  data  in  HTML  format  from  multiple  requests  of  blocks  of  search 
results.  Last  week  I  came  up  with  a  way  to  retrieve  the  required  data 
using  two  free  open  source  utilities,  cURL  to  grab  and  save  the  search 
results  in  a  file,  and  grep  to  parse  the  saved  data. 

1  wrapped  these  utilities  in  a  batch  file  (which  I  call  tweets.bat)  to 
which  I  have  since  added  some  extra  error  testing.  I  also  created  anoth¬ 
er  batch  file,  domonth.bat,  that  calls  tweets.bat  for  each  day  of  a  given 
month.  Finally  a  simple  program  1  wrote  is  called  by  tweets.bat  and 
updates  a  comma  separated  variable  (CSV)  file  that  contains  a  line  for 
each  date  with  the  number  of  Tweets  found. 

To  perform  the  analysis  in  Excel  a  data  source  —  the  CSV  file  —  is 
imported  into  an  existing  spreadsheet  by  refreshing  the  source,  and  a 
graph  shows  the  number  of  Tweets  per  day  for  a  given  month.  I  admit  it: 
This  is  ugly,  ugly,  ugly  but  it  works  and  requires  minimal  resources. 

This  system  covers  the  historical  data,  but  usually  if  you’re  interested 
in  the  public  buzz  on  a  specific  topic  you’ll  want  to  monitor  that  in  real¬ 
time  or  thereabouts. 


As  I  pointed  out  in  the  first  column,  to  get  all  of  the  Tweets  in  the  pub¬ 
lic  timeline  you’ll  need  to  make  arrangements  with  the  folks  at  Twitter. 
On  the  other  hand,  if  the  topic  you’re  interested  in  is  generating  15  or  less 
Tweets  in  a  given  period  (call  that  X  minutes)  you  could  just  repeatedly 
access  the  RSS  feed  every  X  minutes  to  get  a  quasi  real-time  snapshot. 

Here’s  how  to  do  that:  In  Excel  set  up  an  XML  Map  by  selecting  Data  > 
XML  >  XML  Source  and  then  click  on  XML  Maps.  In  the  XML  Maps  dia¬ 
log  that  appears  click  on  Add  then  in  the  filename  field  enter 
http://search.twitter.com/search. rss?q=PRODUCTNAME  (fill  in  what 
you’re  tracking  there  at  the  end)  and  then  click  on  Open.You’ll  go  back 
to  the  XML  Maps  dialog  so  now  click  on  OK.  Excel  will  then  display  the 
schema  of  the  feed. 

Drag  the  item  pubDate  from  the  XML  tree  onto  your  spreadsheet,  say 
onto  cell  A3.  Now  right  click  on  A3  and  select  XML  >  Refresh  XML  data 
and  the  cells  below  A3  will  contain  the  publication  times  of  the  last  15 
Tweets. 

To  get  an  analysis  of  this  data  you’ll  need  to  massage  the  pubDate  val¬ 
ues  to  extract  dates  and  times,  then  use  a  pivot  table  to  correlate  the 
derived  values  and  a  pivot  chart  to  plot  them.  Sounds  complicated?  It  is. 

I  leave  as  an  exercise  for  the  more  intrepid  reader  to  make  the  spread¬ 
sheet  periodically  refresh  and  update  the  graph.  On  the  other  hand,  I 
have  also  wrapped  the  spreadsheet  with  an  XML  Map  in  an  Xcelsius 
presentation  so  it  automatically  refreshes  and  redraws  the  graph. 

If  you  want  a  copy  of  the  batch  files  I  discussed  above  along  with 
cURL,  grep  and  my  nasty  little  program,  as  well  as  the  spreadsheet  and 
the  details  of  the  automated  Xcelsius  version,  send  an  e-mail  to  gear- 
head@gibbs.com  with  the  subject  “TA’. 

Next  week,  Gibbs  will  have  something  completely  different  from 
Ventura,  Calif.  Your  alternatives  to  gearhead@gibbs.com. 


More  iPhone  juice,  less  bulk 


COOL 


The  scoop:  Juice  Pack  Air,  by  Mophie,  about 
$80. 

What  it  is:  An  update  to  the  original  Mophie 
Juice,  the  Air  is  a  rechargeable  ex¬ 
ternal  battery  case  for 
iPhone  3G  users.  Not 
only  will  the  Air  give 
you  extra  battery 
juice  when  you  need 
it,  but  the  hard  plastic  case  provides  addition¬ 
al  protection  for  your  iPhone  3G.  Mophie  says 
the  battery  provides  users  with  an  additional 
270  hours  of  standby  time,  up  to  4.5  extra 
hours  on  3G  (9  hours  on  2G),  and  up  to  4.5 
hours  of  data  time  on  3G  (extra  5.4  hours  on 
Wi-Fi).  For  multimedia  use,  the  Air  provides  as 
much  as  20  hours  of  additional  audio  playback 
time,  and  as  many  as  six  extra  hours  of  video 
time.  A  button  on  the  back  of  the  Air  and  four 
LEDs  give  you  quick  notification  on  how  much 
battery  power  is  left  on  the  device.  Cases  come  in 
three  colors:  white,  black  or  purple  (interesting  color 
choice!). 

Why  it’s  cool:  Battery  life  is  one  of  the  biggest 
issues  for  iPhone  3G  owners.  Since  iPhone  users 
tend  to  spend  more  time  online  —  doing  e-mail  or 
surfing  the  Web  —  it  isn’t  uncommon  for  the  power 
to  run  out  just  when  you’re  expecting  that  big  call. 

There  are  several  options  for  extending  the  life  of 
your  iPhone  3G,but  the  Juice  Pack  Air  is  an  excellent 
alternative. 

The  original  Mophie  Juice  Pack  provided  a  good  amount  of  battery 


Mophie  has 
made  the 
next  version 
of  Juice  Pair 
Air  sleeker. 


power  for  the  iPhone,  but  it  was  bulky  and  turned  the  sleek  iPhone  into 
a  brick.  Mophie  has  done  a  great  job  of  slimming  down  the  size  and 
weight  of  the  Air,  so  when  you  slide  your  iPhone  3G  into 
the  case,  it  doesn’t  feel  as  heavy  as  earlier  mod¬ 
els.  The  design  of  the  Air  has  also  been 
improved.  On  the  earlier  version  you  would 
slide  the  phone  in  and  leave  an  open  space  at 
the  top,  while  on  this  model  there’s  a  “cover" 
that  you  slide  in  over  the  top  of  the  iPhone  to 
provide  the  extra  protection. 

A  mini-USB  cable  lets  you  synchronize  the 
iPhone  with  your  PC  while  it’s  attached  to  the 
Air.  You  can  also  recharge  the  Air  and  the 
iPhone  at  the  same  time  with  the  cable.  A 
handy  switch  lets  you  turn  off  the  charging 
features  while  it’s  attached,  letting  you  use  up 
the  battery  in  the  iPhone  and  then  switch  the 
Air  on  for  the  recharge  when  needed. 

One  caveat:  Because  the  device  uses 
Apple’s  universal  charging  port  as  part  of  its 
design,  you  can’t  have  the  Air  attached  and 
then  use  the  iPhone  for  other  purposes, 
such  as  attaching  it  to  external  speakers. 
Fortunately,  the  Air  is  easy  to  detach.  Also, 
this  only  works  with  the  iPhone  3G,so  own¬ 
ers  of  the  first-generation  iPhone,  as  well  as 
iFbd  touch  users  and  iPod  users,  will  need  to 
look  elsewhere. 

Grade:  ★★★★★(out  of  five). 

Shaw  can  be  reached  at  kshaw@nww.com.  Follow  him  on  Twitter  at 
http://twitter.com/shawkeith. 
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CASE  STUDY _ 

A  Unified  Campus: 

UC  Bridges  the  Miles  for  Students,  Teachers 


Edwin  Craft,  Director  of  Telecommunications  and 
Interactive  Video  Services 

WESTERN  KENTUCKY  UNIVERSITY 

With  more  than  15  years  of  experience  in  the  communications  industry.  Craft  is 
working  on  his  doctoral  degree  in  Organizational  Leadership.  He  was  recently 
featured  in  Chronicle  of  Higher  Education,  Forbes  and  Campus  Technology. 


When  Edwin  Craft  deployed  a  unified 
communications  strategy  for  Western 
Kentucky  University,  he  unified  more 
than  technology;  he  brought  together 
the  student  body.  Here’s  how: 

How  is  Western  Kentucky  University 
challenged  in  attracting  students 
and  faculty? 

Kentucky  is  rural,  so  the  students  we 
attract  axe  spread  out.  Often  these 
students  are  place-bound,  meaning 
they  don't  travel  long  distances  to  attend 
classes.  So  we  needed  to  extend  the 
main  campus  to  reach  them,  and  we  also 
needed  to  accommodate  guest  teachers 
from  around  the  world  to  broaden  the 
faculty  capacity  of  the  main  campus  and 
reach  external  experts. 

What  role  did  Avaya's  unified  commu¬ 
nications  solution  play  in  addressing 
that  challenge? 

Avaya’s  unified  communications  solu¬ 
tion  proved  to  be  a  green  technology 
that  freed  us  from  physical,  infrastruc¬ 
ture  boundaries.  What’s  more,  commu¬ 
nications  isn’t  just  about  picking  up  the 
phone  anymore.  It  encompasses  voice 
and  video,  email  and  voicemail,  and  now 
even  Facebook  and  MySpace.  Avaya’s 
solution  gave  us  the  core  infrastructure 
to  do  what  we  needed.  It’s  like  a  com¬ 
munications  system  for  tomorrow,  but 
we  have  it  today. 


Which  capabilities  delivered  the 
most  impact? 

We  got  a  lot  of  great  capabilities  with  the 
platform,  but  video  in  the  classroom  has 
delivered  the  most  impact  with  regard  to 
growth  and  the  ability  to  push  course- 
work  out  to  place-bound  students.  We 
also  use  the  system  to  support  emer¬ 
gency  communications  because  the 
entire  communications  infrastructure 
is  operational  24/7-  Of  course,  there  axe 
other  things  we  can  do  that  our  users  re¬ 
ally  like— such  as  voicemail-to-email  and 
bridging  desk  phones  to  mobile  devices. 

How  did  you  prepare  your  network 
for  the  transition? 

With  any  transition  tied  to  communica¬ 
tions  we  always  talk  about  the  five  9s. 

It’s  easy  to  say  that  if  you  throw  enough 
bandwidth  at  anything,  it’ll  work.  But 
with  all  the  traffic  on  campus,  that’s  not 
always  true.  People  want  a  dial  tone;  if  it 
doesn’t  work,  they  lose  interest.  That’s 
why,  in  preparing  for  the  transition,  we 
started  with  a  robust  infrastructure— 
Avaya’s  unified  communications 
solution— and  built  from  there. 

What's  the  business  value  for  the 
university  and  your  staff? 

The  university,  in  its  most  basic  sense,  is 
responsible  for  teaching.  UC  technology 
has  allowed  us  to  broaden  that  scope,  and 
we've  effectively  increased  the  number 


of  students  from  14,000  prior  to  2003  to 
19,800  today.  And  that  hasn't  deterred 
from  the  quality  of  education.  Faculty 
members  are  there  to  teach,  not  to  be 
hindered  by  technology,  so  our  rooms 
are  simple  and  stable.  That  said,  this  more 
robust  technology— even  though  it  seems 
like  things  are  getting  more  complex- 
makes  things  easier  for  my  staff. 

What  programs  have  resulted  from 
deploying  Avaya's  solution? 

We  achieve  a  great  deal  of  value  through 
TVS  (interactive  video  services),  which 
allows  our  remote  campuses  to  host 
the  same  courses  as  the  main  cam¬ 
pus.  Several  key  programs  have  been 
enhanced  by  TVS— for  example,  our 
nursing  program  and  a  joint  engineering 
program  with  University  of  Louisville 
and  Murray  State  University.  And  the 
future  is  an  open  door.  Our  goal  is  to 
give  every  incoming  student  a  telephone 
number,  which  will  be  that  student’s 
unified  communications  platform  for 
receiving  calls,  dropping  messages  into 
email  or  even  forwarding  those  calls  to 
another  number. 


For  more  information  go  to: 

www.networkworld.com/ 

community/uc 

NETWORKWORLD 

Custom  Solutions  Group 


I  CLEAR  CHOICE  TEST  NOVELL’S  SLES  11 

Novell’s  SLES  11  is  packed  to  the 
gills,  keeps  moving  at  a  decent  clip 

New  features  home  in  improved  management,  integrated  virtualization 


BY  TOM  HENDERSON  AND  BRENDAN  ALLEN,  NETWORK  WORLD 
LAB  ALLIANCE 

n  our  Clear  Choice  test  of  Novell’s  SUSE  Linux  Enterprise  Server 
(SLES)  1  l,we  found  it  to  be  packed  with  useful  management  tools, 
to  have  virtualization  threaded  though  many  of  its  processes,  and  to 
perform  at  rates  close  to  the  high  bar  set  by  past  versions  of  the 
Linux  bundle. 

Installation  is  very  similar  to  SLES  10,  but  included  some  new  options. 
For  example,  there  is  a  server  scenario  selection  process  and  the  choic¬ 
es  include:  Physical  machine  (also  used  for  fully  virtualized  virtual 
machines  [VM]),  Virtual  Machine  (for  paravirtualized  environments 
such  as  Xen)  and  Xen  Virtualization  Host  (for  use  as  a  hypervisor  host 
platform).  These  match  the  increasing  number  of  choices  allowed  for 
Windows  2008  server  editions,  where  VM  substrates  are  a  part  of  the 
front-end,  pre-install  process. 

The  Xen  hypervisor  has  been  updated  to  Version  3.3.1.  The  default 
SLES  1 1  file  system  is  now  ext3, although  the  previous  default  file  system, 
reiserfs,  is  still  supported,  as  are  others  including  ext2,jfs,and  NTFS. 

The  default  local  security  policies  in  general  seem  to  be  a  bit  more 
restrictive.  For  example,  when  trying  to  shut  down  the  machine,  the 
root/admin  password  is  required  by  default. 

There  is  a  new  software  management  subsystem  called  ZYpp  that  is 
used  in  conjunction  with  the  long-favored  YaST  setup  tool  to  correlate 
the  dependencies  of  applications  with  other  system  applications  while 
upgrading  software  packages  thereby  helping  to  thwart  incompatibility 
issues.  We  found  ZYpp  speedier  than  previous  tools,  as  it  automated 
software  dependency  checks  and  delivered  updated  software  more 
quickly  than  we’ve  seen. 

New  stuff  in  the  management  and  security  realms  for  SLES  1 1  includes 
an  open  source  program  called  Nagios  —  a  network  monitoring  tool 
that  watches  network  access  activity  for  different  workstations  on  your 
network. 

Nagios  Version  3.0.6  has  a  Web-based  interface  —  so  an  Apache  Web 
server  must  be  installed  as  well. The  default  configuration  needs  a  little 
fine-tuning  but  most  of  the  options  were  pre-configured.  Nagios  can 
check  whether  different  network  services  (for  example  SMTP  POP3, 
HTTP)  are  running,  then  create  alerts  by  e-mail,  cell  phone  or  page  if 
something  stops  responding.  Also,  Nagios  has  the  capability  to  monitor 
basic  host  resources,  processor  load  and  disk  usage.  We  turned  off  some 
services,  which  Nagios  detected  quickly  and  proceeded  to  send  an  e- 
mail  to  the  appropriate  place. 

SLES  11  also  includes  an  updated  version  of  StrongSwan,  which  is  an 
IPSec  stack  that  can  be  used  for  creating  either  site-to-site  or  remote  user 
VPN  connections.  StrongArm  has  been  upgraded  to  support  IPv6  tun¬ 
neling.  We  did  not  test  this  VPN  service. 

In  addition,  there  is  a  Web-based  graphical  management  tool  for  IKEv2 
encryption  key  management  for  various  applications,  including  the  IPv6 
IPSec  VPNs  now  permitted  with  StrongSwan. 

And,  finally  Novell  has  produced  a  YaST  Security  module,  which  con¬ 
solidates  a  raft  of  formerly  separate  settings  (file  permissions,  and  login 
restrictions  parameters,  for  example)  into  a  single  and  comprehensive 
(and  finally  usable)  user  interface.  For  instance,  during  testing  we  were 
able  to  change  policy  settings  and  form  user  folder  permissions  without 
having  to  leap  back  and  forth  between  formerly  disparate  user  inter¬ 
faces. 

Novell  also  added  Trusted  Computing  Platform  capabilities  for  some 


-  NETRESULTS 

Product  SUSE  Linux  Enterprise  Server  Version  11 

Vendor  Novell 

www.novell.com 

Price  Annual  subscriptions  starting  at  $349  per 
server. 

Pros  Lots  of  streamlined,  simpler  administration 
processes;  much  easier  to  deploy. 

Cons  ‘Tickless1  kernel  may  cause  application  incom¬ 

patibilities;  very  slight  decrease  in  performance. 

Score  4.13 


SCORECARD 

Action 

Weight 

Installation/compatibility 

25% 

4. 

Administration 

25% 

4.5 

Security 

25% 

4 

Performance 

25% 

4 

Total  score 

4.13 

Scoring  key:  5:  Exceptional;  4:  Very  good;  3:  Average;  2:  Below  average; 
1:  Subpar  or  not  available. 

encryption  management  capabilities,  but  we  did  not  test  these. 

Developers  arise 

There  are  quite  a  number  of  new  features  in  SLES  1 1  (although  these 
items  are  missing  from  SLED  11  [www.nwdocfinder.com/9722])  for 
developers,  including  updated  versions  of  the  application  debugger  gdb 
and  the  gcc  application  compiler.  One  nice  new  feature  is  the  included 
.Net  development  framework  dubbed  Mono,  which  has  partial  compati¬ 
bility  with  Microsoft  .Net  framework.  Included  is  an  application  called 
Mono  Analyzer  that’s  used  to  check  if  your  .Net  application  is  compati¬ 
ble  with  Mono’s  .Net  framework  emulation.  Novell  says  about  half  of  the 
.Net  applications  it  tested  worked  without  any  changes. 

Also  included  in  the  SLES  1 1  developer  toolkit  is  ltrace,  which  is  a  use¬ 
ful  command  for  debugging  applications,  similar  to  Sun’s  dtrace  tool. 
The  idea  behind  these  two  tools  is  to  find  application  execution-time 
problems  by  monitoring  what  they  do,  how  they  branch,  and  most 
importantly  how  long  they  take  to  do  these  things  so  that  the  application 
can  be  optimized  for  performance. 

But  unlike  the  Sun  tool,  which  requires  the  source  code  to  be  available 
in  order  to  debug  the  application,  ltrace  works  by  catching  and  retriev- 

See  SLES,  page  28 
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THINK  AGAIN. 


Data-stealing  malware  is  smarter,  faster  and  more  advanced  than  ever.  It's  infiltrating  the  most  secure  enterprises 
and  yours  could  be  next.  But  with  Trend  Micro™  Enterprise  Security,  powered  by  the  Trend  Micro  Smart  Protection 
Network,  you'll  be  ready.  This  unique  combination  of  solutions  and  services  is  the  next-generation,  cloud-client 
security  infrastructure  that  blocks  the  most  sophisticated  threats-before  they  reach  your  network.  Download 
our  eBook  and  learn  how  easily  Web  threats  like  data-stealing  malware  can  evade  your  current  security  solution 
and  what  you  can  do  about  it. 


►  Download  our  Outthink  the  Threat  eBook  and  register  for  a  free, 
onsite  risk  assessment  now  at  trendmicro.com/thinkagain. 
Or  contact  us  for  more  information  at  877-21-TREND  EXT.  53 
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1  CLEAR  CHOICE  TEST  NOVELL’S  SLES  11 


SLES 

continued  from  page  26 

ing  the  shared  library  calls  made  by  the  process  of  the  application  or  sig¬ 
nals  received  while  it’s  running.  The  result  is  that  both  developers  and 
even  enlightened  civilians  with  root  rights  can  watch  application  behav¬ 
ior  to  ascertain  the  nature  of  problems  or  optimizations. 

Popping  the  kernel 

SLES  1 1  uses  the  2.6.28  Linux  kernel  (SLES  10  initially  used  2.6.16).This 
kernel  is  different  in  that  it  runs  in  a  “tickless”  mode  by  default,  which 
eliminates  system  ticks  (timer  events  sent  to  the  CPU  at  regular  inter¬ 
vals)  and  therefore  lets  the  CPU  potentially  rest  for  long  periods  of  time 
during  inactivity  —  if  applications  support  this  conservation  state,  that 
is.  This  upgrade  gives  SLES  1 1  a  greener  side  as  tick-based  kernels  are 
interrupted  by  convention  a  thousand  times  per  second  to  see  if  there’s 
work  to  do  (see  Green  OS  test  for  discussion  of  tickles  Linux  kernel  at 
www.nwdocfinder.com/9621). 

Control  groups  (cgroups)  comprise  a  new  kernel  feature  that  imple¬ 
ments  a  minimal  file  system  interface  to  create  task  groups,  handle  per¬ 
missions  and  task  assignments. 

The  cpuset  system,  which  uses  cgroups, is  a  new  feature  used  to  divide 
resources  by  partitioning  CPU  and  memory  resources  into  separate 
groups.  Processes  running  inside  one  of  the  cpuset  groups  won’t  be 
able  to  run  on  other  CPUs/cores  not  in  the  cgroup.This  lets  administra¬ 
tors  force  applications  to  ‘home’  to  a  specific  CPU  core. 

A  command-line  tool,  called  cset,  is  used  to  create  and  modify  the 
cpuset  groups.  In  our  test,  this  mechanism  did  restrict  the  usage  to  those 
administratively  desired  CPUs,  when  running  a  process  inside  one  of 
the  CPU  sets.  We  could  even  move  processes  already  running  into  a  set 
to  restrict  their  access  to  the  target  server  CPU  cores. 

Another  feature,  Swap-over  NFS,  allows  swap  space  (virtual  memory) 
to  be  allocated  onto  an  NFS  share  instead  of  on  the  local  machine’s 
hard  drive.  This  allows  one  to  utilize  the  vast  storage  of  an  NFS  share, 
and  increases  our  addiction  to  NFS  (interestingly  developed  by  Sun). 

Novell  has  also  included  some  pre-release  code  in  this  bundle  to  give 
users  a  preview  of  things  to  come.  The  previews  include  ext4  (successor 
to  ext3  filesystem),  eCryptfs  (a  POSIX-compliant  crytographic  filesys¬ 
tem),  iSNS  (internet  storage  naming  service)  and  Hot  Add  Memory 
(only  applies  to  certain  hardware,  and  none  we  had  in  the  lab). 

Gauging  performance 

In  our  business  benchmark  logic  performance  test  we  used  the  Java- 
based  SPECjbb2005  tool.  We  ran  tests  on  the  native  operating  system 
running  directly  on  the  hardware  server  and  we  assessed  performance 
in  various  virtualization  scenarios. 

For  the  native  performance  test,  we  had  to  downgrade  SLES  1  l’s  Java 
version  to  1.5  from  the  newer  preinstalled  Java  1.6  to  get  an  equal  play¬ 
ing  field  result  to  previous  tests  done  with  Java  1.5  running  on  SLES  10. 
After  several  test  runs  of  SPECjbb2005,  SLES  10.2  with  Java  1.5  com¬ 
pleted  an  average  of  33,396  Basic  Operations/Sec  (BOPs),  while  SLES 
1 1  completed  an  average  of  30,065  BOPs.The  nominally  slower  perfor¬ 
mance  is  likely  because  SLES  1 1  uses  ext3  as  the  default  file  system, 
which  some  claim  is  slower  than  reiserfs,  the  default  files  system  with 
SLES  10. 

To  be  fair,  the  Java  1.6  version  supplied  with  SLES  11  did  perform 
somewhat  faster,  hitting  42,581.5  BOPs.  We  did  not  run  a  native  test  on 
SLES  10.2  with  Java  1.6,  so  we  have  no  comparative  number  there. 

We  also  ran  some  virtualization  performance  tests  to  ascertain  any 
changes  when  running  both  existing  SUSE  10  and  new  SUSE  1 1  VMs  on 
the  Xen  3.3.1  hypervisor  included  with  SuSE  11. 

In  this  test,  we  ran  three  SLES  10.2  VMs  on  a  server  running  SLES  11 
Xen  3.3.1  as  the  hypervisor.  These  VMs  were  the  same  ones  used  in  the 
SLES  10.2  Xen  testing.  Again  we  had  to  run  one  set  of  tests  of  SUSE  11 
with  Java  1.5  in  place  to  get  the  direct  comparison  with  performance 
numbers  gathered  for  SLES  10. 

The  overall  average  for  the  same  VMs  with  SPECjbb2005  running 


With  its  new  SUSE  11  bundle,  Novell  has  included  a  YaST 
Security  module,  which  consolidates  a  raft  of  formerly  sep¬ 
arate  security  settings  into  a  single  and  comprehensive 
user  interface. 


under  SLES  10.2  Xen  3.2  with  Java  1.5  was  33,956  BOPs  on  each  VM  (see 
article  at  www.nwdocfinder.com/9622)  compared  with  33,264.17  bops 
on  each  VM  under  SLES  1 1  Xen  3.3.1. While  these  results  are  quite  close, 
performance  for  the  newer  combination  has  decreased  slightly. 

In  order  to  compare  performance  of  SLES  10  VMs  against  perfor¬ 
mance  of  SLES  1 1  VMs  when  running  on  the  new  Xen  3.3.1  hypervisor 
we  had  to  deploy  Java  1.6  on  both  operating  system  versions  before  we 
could  get  apples-to-apples  results  from  SPECjbb2005.The  SLES  10  VMs 
yielded  an  average  of  42,166  BOPs/VM  across  test  runs  while  SLES  11 
VMs  averaged  40,820. 1 1  BOPs.  Based  on  these  numbers,  SLES  1 1  per¬ 
formance  has  decreased  slightly  The  overall  BOPs  count  was  likely 
higher  across  all  VM  measurements  in  these  tests  because  Java  1.6  is 
faster  than  Java  1 .5 

We  also  ran  tests  with  IOMeter  to  ascertain  disk  performance  based 
on  test  regimens  we’ve  used  to  test  VM  and  native  operating  system  per¬ 
formance.  These  tests  showed  very  little  difference  between  SLES  10.2 
and  SLES  11. 

Conclusion 

While  many  of  the  changes  in  SLES  11  are  incremental,  the  inclusion 
of  Mono  tools  and  Solaris-like  developer  tools  make  us  appreciate  SLES 
1 1  more  as  a  server  platform  —  especially  as  it’s  easier  than  ever  to  pre¬ 
select/determine  a  server  configuration  and  application  build.  Novell 
has  paid  attention  to  system  installers  that  want  up-front  choices  that 
are  easily  deployed  and  managed.  There  were  a  few  rough  edges,  but 
Novell  has  done  a  lot  to  give  especially  busy  system  integrators  and 
installers  easily  understood  deployment  configuration  loads  with  virtu¬ 
alization  in  mind.  It’s  their  best  yet. 

Henderson  and  Allen  are  researchers  for  ExtremeLabs  in  Indianapolis. 
Contact  them  at  kitchen-sink@extremelabs.com. 

■  Henderson  is  a  member  of  the  Network  World  Lab  Alliance,  a 
cooperative  of  the  premier  testers  in  the  network  industry,  each 
bringing  to  bear  years  of  practical  experience  on  every  test.  For 
more  Lab  Alliance  information,  including  what  it  takes  to  become 
a  partner,  go  to  www.networkworld.com/alliance. 
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Your  IT  challenges 
come  in  all  sizes. 

So  do  our  solutions. 


IT  problems  happen,  but  disruption  doesn't  have  to  be  a  part  of  the  process. 
From  power  outages  to  downed  email,  SunGard  is  there  to  keep  it  all  flowing. 
What  makes  10,000  customers  trust  and  depend  on  SunGard?  A  30-year 
history  of  doing  it  right. 

With  the  widest  range  of  Information  Availability  services  in  the  industry, 
SunGard  offers  the  solutions  to  cover  it  all— no  matter  what  the  availability 
requirement,  from  production  to  recovery.  SunGard's  infrastructure  has 
redundancies  at  every  level— we've  invested  so  you  don't  have  to.  At  SunGard, 
we  know  you  need  higher  levels  of  availability,  and  we  deliver.  So  leave  your 
worries  to  us. 


To  leam  more  about  how  to  keep  your  people  and  information  connected, 
visit  www.availability.sungard.com/sgl  or  call  1-866-673-6616. 


-  AdvancedRecoverySM  with  a  100%  recovery  record 
and  a  breadth  of  services  offered 

-  AdvancedHosting  with  over  2.000  customers 
and  34  production  facilities  with  a  range  of  managed 
IT  services 


Consulting  with  more  than  100,000  action 
plans  delivered 


-  Continuity  Management  Software  the  most 
widely  used  to  keep  businesses  up  and  running 

SUNGARD'  K7;y People 

and  Information 

Availability  Services  Connected: 


how  to  create  an 
effective  end-user 
security  awareness 
program 


BY  LYNN  HABER 

Installing  the  latest  security  hardware 
and  software  means  nothing  if  users 
don’t  practice  cyber  safety.  And  the 
best  way  to  get  users  to  “think  security" 
is  to  create  an  ongoing  culture  of  seem 
rity  at  your  company. 

“Security  awareness  isn’t  one  of  those 
things  that  organizations  do  for  fun.  It's 
24/7  and  accountability  starts  with  the 
CEO  and  is  pushed  to  all  corners  of  the 
organization,”  says  Larry  Ponemon, 
founder  of  the  Ponemon  Institute,  a  pri¬ 


vacy  and  data  protection  research  firm 
in  Traverse  City,  Mich. 

The  stakes  are  high  and  getting  higher 
all  the  time.  In  January,  the  Identity  Theft 
Resource  Center  (ITRC)  reported  that 
the  number  of  data  breaches  in  2008 
increased  47/6  compared  to  2007.  The 
organization  also  reported  that  35.2%  of 
breaches  were  due  to  human  error. 

And  Ponemon  recently  released  a 
study  showing  that  the  average  cost  of 
a  data  breach  grew  to  $202  per  record 


compromised  in  2008,  up  from  $197  per 
record  in  2007.  In  addition,  the  average 
security  event  cost  individual  compa¬ 
nies  $6.6  million  per  breach  in  2008,  up 
from  $6.43  million  in  2007  and  $4.7  mil¬ 
lion  in  2006. 

Worse,  security  breaches  result  in  a 
loss  of  consumer  confidence,  which 
translates  into  customers  taking  their 
business  elsewhere. 

So,  what  are  the  keys  to  a  successful 
security  awareness  program?  Creating  a 
culture  of  security  starts  at  the  top, 
includes  individuals  from  all  depart¬ 
ments  and  groups,  is  based  on  predeter¬ 
mined  policy  and  subsequent  controls,  is 
consistently  revisited  and  updated,  and 
is  practiced  daily. 


TODAY,  USERS  ARE  MORE  AWARE  OF 
EXISTING  THREATS,  BUT  THREATS 
ARE  MORE  SOPHISTICATED  AND 

THEY  MIGRATE  FASTER. 

MAX  REISSMIHLER 
sonior  manngor  .of  IT 
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Security  is  Job  One 

Computer  security  is  a  fast  moving  tar¬ 
get.  Today  there  are  more  threats,  vul¬ 
nerabilities,  portable  storage  devices  and 
there’s  increased  mobility.  There’s  also 
less  of  a  wall  between  one’s  personal 

See  Security,  page  32 
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IBM  SYSTEM  x3650™  M2  EXPRESS 

$2,029.00 

OR  $54/MONTH  FOR  36  MONTHS’ 

PN:  7947E1 U _  _ _ _ 

Featuring  up  to  2  Intel  Xeon  processor  5500  series  with  speeds 

up  to  2.93  GHz/6.4  GT _ 

Energy-efficient  design  incorporating  low  675  W  and  92%  efficient  PS,  6 
cooling  fans,  altimeter  _ _ _ 

Up  to  128  GB  via  16  DIMM  slots  (availability  2Q  2009)  of  DDR3  memory 
with  clock  frequency  up  to  1333  MHz  


IBM  SYSTEM  STORAGE™  DS3200™  EXPRESS 

$4,495.00 

OR  $119/MONTH  FOR  36  MONTHS’ 

PN:  172621 X _ 

External  disk  storage  with  3  Gbps  serial  attached  SCSI  (SAS)  interface 
Easy  to  deploy  and  manage  with  the  DS3000  Storage  Manager 


’  ibm  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  Slates  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments  provided  are  for  planning 
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life  and  work  life.  The  things  to  protect  and 
protect  against  are  changing. 

That  means  educating  users  about  security 
is  more  difficult,  demanding  and  necessary 
than  ever  before. 

“Today,  users  are  more  aware  of  existing 
threats,  but  threats  are  more  sophisticated 
and  they  migrate  faster,”  says  Max 
Reissmueller,  senior  manager  of  IT  infrastruc¬ 
ture  and  operations  at  Pioneer  Electronics  in 
Long  Beach,  Calif. 

Reissmueller  is  responsible  for  user  security 
awareness  for  roughly  1,600  employees  at 
about  15  locations  in  North  America.  Pioneer 
Electronics  has  a  formal  security  review 
board  that  updates  policy  annually  and  dis¬ 
seminates  changes  to  users. 

But  one  major  problem  when  it  comes  to 
user  training  is  that  security  is  not  the  user’s 
primary  job. “The  end  user  doesn’t  do  securi¬ 
ty  for  a  living  so  their  focus  isn’t  on  how  to 
keep  the  company  secure;  it’s  how  to  best  do 
their  job,”  Reissmueller  says. 

In  fact,  industry  experts  agree  that  social 
engineering  makes  it  difficult  for  enterprises 
to  keep  up  with  the  rapidly  changing  vulner¬ 
ability  landscape.You  can’t  expect  users  to  be 
security  experts,  but  you  can  teach  them  how 
to  notice  when  something  looks  suspicious, 
and  who  to  call  when  a  security-related  issue 
arises. 

Another  key  is  to  put  securi¬ 
ty  awareness  in  the  larger 
context  of  protecting  a  com¬ 
pany  ‘s  assets,  revenue  and 
reputation.  “Policy  is  often 
written  with  little  or  no  con¬ 
sultation.  End  users  get  e- 
mails  to  be  aware  about 
threats,  but  there’s  no  con¬ 
text,”  says  Sam  Curry, vice  pres¬ 
ident,  product  management 
and  strategy  at  RSA,  the  secu¬ 
rity  division  of  EMC. 

Not  only  does  Curry  believe 
that  creating  a  culture  of 
security  requires  the  involve¬ 
ment  of  all  the  organization’s 
departments  and  groups,  but 
that  it’s  paramount  that  users 
understand  why  their  actions 
create  a  risk  for  the  organiza¬ 
tion. 

What  happens  when  securi¬ 
ty  risk  isn’t  put  in  context  for 
users?  According  to  RSAs  2008  Insider  Threat 
Survey, “People  will  do  as  they  will,  regardless 
of  awareness  of  best  security  practices.” 

The  survey,  which  polled  417  people  from 
North  America  and  Latin  America,  found  that 
94%  were  familiar  with  their  organization’s  IT 
security  policies, yet  53%  have  felt  the  need  to 
circumvent  IT  security  in  order  to  get  their 
work  done. 

Best  practices 

Pioneer’s  Reissmueller  says  there’s  security 
compliance  and  there’s  security  awareness, 
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TOP  5  MISTAKES 

USERS  MAKE 

1.  Writ!  down  pasp/ords. 

2.  Click  on  anything  that  has 
a  link  in  an  e-mail  or  open 
attachments  they’re  not 
expecting. 

3.  Lead  personal  lives  online 
at  work  and  store  personal 
information  on  work  com¬ 
puters. 

4.  Share  log-on  information. 

5.  Walk  away  from  their  com¬ 
puters  with  the  computer 
screen  unlocked. 


. 
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New  York  State  is  extremely  concerned  about  phishing  in  general, 
and  more  specifically  spear  phishing,  highly  targeted  phishing 
attacks  designed  to  penetrate  organizations,  government  agencies 
and  groups. 

Beginning  in  2005,  the  state  Office  of  Cyber  Security  &  Critical 
Infrastructure  (NYS-CSCIC)  along  with  the  Anti-Phishing  Working 
Group,  AT&T  and  the  SANS  Institute,  ran  its  first  antiphishing  pilot 
project. 

The  goal  was  to  raise  employee  awareness  of  the  danger  of 
phishing  scams  and  to  provide  employees  with  information  to  help 
protect  themselves  and  the  agency.The  project  was  also  designed 
to  gain  a  better  understanding  of  the  effectiveness  of  security  training. 

The  first  exercise  was  conducted  with  10,000  users  who  were  unaware  of  the  pro- 
ject.The  first  step  of  the  exercise  was  to  distribute  an  informational  bulletin  alert¬ 
ing  users  to  the  perils  of  phishing  and  providing  steps  to  take  if  they  encounter 
malicious  activity. 

Next,  the  mock  phishing  scam  exercise  involved  sending  an  e-mail  to  the  group 
that  appeared  to  be  coming  from  a  legitimate  source,  the  agency’s  Information 
Security  Office,  and  contained  a  link  to  the  NYS-CSCIC  Web  site  with  instructions 
to  visit  to  check  the  security  of  their  password. 

If  they  clicked  on  the  link  and  attempted  to  type  in  their  password  they  failed  the 
test.  While  17%  followed  the  link,  15%  of  the  e-mail  recipients  attempted  to  interact 
with  the  fake  password  form. 

Those  individuals  who  passed  the  test  received  a  congratulatory  message;  those 
who  were  duped  were  directed  to  a  tutorial  on  how  to  be  aware  of  phishing  scams. 

Another  mock  phishing  exercise  was  conducted  on  the  same 
employee  audience  two  months  later.The  goal  was  to  assess 
if  they  learned  anything  from  the  first  exercise.This  time, 
employees  were  sent  an  e-mail  that  appeared  to  come  from 
the  agency’s  help  desk  with  a  subject  line  that  read  “Internet 
Connection  Problems.” 

The  e-mail  informed  users  of  Internet  connection  outages 
because  of  a  suspected  cybersecurity  event,  and  contained  a 
link  to  a  dummy  NYS-CSCIC  Web  site  where  they  were  asked 
to  assist  the  agency  by  answering  some  questions  about  con¬ 
nectivity  issues. 

Those  who  followed  the  link  and  attempted  to  answer  ques¬ 
tions  were  notified  that  they  fell  prey  to  the  exercise  and  were 
given  a  feedback  survey  to  explain  their  actions.  Fourteen  per¬ 
cent  followed  the  link  but  only  8%  attempted  to  input  informa¬ 
tion. 

William  Pelgrin,  chief  cybersecurity  officer  and  director, 

NYS  Office  of  Cyber  Security  &  Critical  Infrastructure 
Coordination,  Albany,  N.Y.,  was  pleased  with  the  results  of  the 
phishing  exercise. 

"Cybersecurity  awareness  is  about  cultural  change,  repeti¬ 
tion  of  exercises  like  the  scam  phishing,  help,"  he  says. 

In  early  2008,  NYS-CSCIC  rolled  out  a  stand-alone  10  mod¬ 
ule  computer-based  security  training  program  that  included 
interactive  exercises,  such  as  the  scam  phishing  program. The  introductory,  non¬ 
technical  course  also  includes  modules  on  security  accountability,  social  engineer¬ 
ing/phishing,  security  threats  and  other  issues  that  users  need  to  be  aware  of. 

Later  that  year,  a  server  version  of  the  same  training  program  was  made  avail¬ 
able  to  state  and  local  governments  through  the  Multi-State  Information  Sharing 
and  Analysis  Center. 

This  year,  NYS-CSCIC  will  conduct  more  periodic,  automated,  interactive  exer¬ 
cises,  in  a  manner  similar  to  the  phishing  pilot,  in  its  efforts  to  create  a  culture  of 
security  through  experiential  learning. 

-LYNN  HABER 
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and  they’re  not  the  same  thing.  Security 
awareness  is  not  a  check-box  item.  It’s  also 
not  a  one-time  or  even  two-times-a-year 
event. 

Security  awareness  must  be  ongoing  “to 
keep  the  knowledge  fresh  and  real  in  the 
mind  of  the  end  user’’  he  says. 

The  training  often  begins  by  working  to  get 
users  to  really  understand  why  security 
awareness  is  necessary. 

“Organizations  want  users  to  internalize  the 
problem.They  want  employees  to  do  the  right 
thing  because  it’s  the  right  thing  to  do,  not 
because  you’re  watching  them,”  says  Mark 
Rasch,  a  Bethesda,  Md.,  attorney  specializing 
in  computer  security  and  regulatory  compli¬ 
ance.  Rasch  was  also  the  former  head  of  the 
U.S.  Department  of  Justice  computer  crime 
unit. 

A  common  component  of  security  aware¬ 
ness  training  is  a  DVD,  video  or  Web-based 
module.  Companies  also  require  that  all 
employees  read  and  sign  Internet  and  accept¬ 
able-use  policy  and  security  policy  docu¬ 
ments. 

“Policy  must  also  reflect  the  culture  of  the 
company  and  its  values,”  Rasch  says. 
Furthermore,  policy  must  be  enforced  with 


TEN  STEPS 
TO  SECURITY 
SAFETY 

1.  Conduct  an  overall  assessment 
of  existing  vulnerabilities. 

2.  Develop  Internet  and  accept¬ 
able  use  policy. 

3.  Sell  the  plan  and  build  the 
value  model.  Get  C-level  spon¬ 
sorship. 

4.  Educate  and  awareness. 
Includes  everyone  who  touch¬ 
es  information  assets  or  is 
involved  in  infrastructure. 

5.  Put  security  awareness  in 
context. 

6.  Know  how  to  recognize  that 
there  may  be  a  problem. 

7.  Understand  how  to  deal  with 
problems. 

8.  Allow  for  dialog,  listen  to  end 
users  concerns,  and  revisit 
policy. 

9.  Never  treat  security  aware¬ 
ness  as  a  check-box  item. 

10.  Practice  security  awareness 
daily. 


training.  “The  longer  an  organization  goes 
without  training,  the  greater  the  divergence 
between  the  written  one  [policy]  and  the 
unwritten  one, or  the  one  users  are  following,” 
he  adds. 

Many  organizations  offer  security  aware¬ 
ness  training.  For  example,  SCIPP 
International,  a  global  nonprofit  organization 
in  Vienna, Va.,  offers  security  awareness  certi¬ 
fication  for  individuals  and  organizations. 

Hands-on  training 

In  2005,  New  York  State  developed  an 
antiphishing  exercise  in  conjunction  with 
The  Anti-Phishing  Working  Group,  AT&T  and 
the  SANS  Institute.  The  exercise  involved 
10,000  employees  who  were  unaware  they 
were  participating  in  a  security  exercise. 

In  the  exercise,  15%  of  employees  fell  prey 
to  a  phishing  scheme.  After  the  results  were 
tallied,  these  individuals  got  a  message 
informing  them  that  they  had  fallen  for  a 
phishing  e-mail  and  directing  them  to  a  brief 
tutorial  on  how  to  be  more  aware  of  phishing 
scams. 

The  organization  launched  a  different 
online  exercise  to  the  same  employee  popu¬ 
lation  two  months  later  and  saw  a  50% 
improvement.  Users  who  failed  the  second 
exercise  were  asked  to  participate  in  a  feed¬ 
back  survey  to  determine  why  they  took  the 
action  they  did. 

The  goal  of  the  exercise  was  to  understand 
how  well  the  state  communicates  and  how 
well  users  learn,  according  to  William  Pelgrin, 
chief  cybersecurity  officer  and  director,  NYS 
Office  of  Cyber  Security  &  Critical 
Infrastructure  Coordination,  Albany,  N.Y 

“Just  telling  people  that  phishing  is  out 
there  isn’t  very  effective.  It’s  better  for  users  to 
have  a  tactile  interactive  experience,”  he  says. 

Changing  behavior 

Some  low-level  activities  that  organizations 
use  to  create  a  security-  conscious  user  is  dis¬ 
play  posters,  run  banners  on  the  company's 
intranet,  host  a  computer  awareness  day  and 
distribute  security  training  material. 

An  additional  training  tool  is  to  run  mock 
scenarios  to  reinforce  what  to  look  for,  what 
action  to  take  and  who  to  contact.  “The  user 
has  to  know,  this  is  what  you  have  to  do  and 
why  you  have  to  do  it,”  Rasch  says. 

It’s  also  important  for  organization’s  to  pro¬ 
vide  role-based  training  for  individuals  with 
specific  jobs  and  responsibilities,  says  Mark 
Wilson,  IT  specialist,  information  security  with 
NIST  Computer  Security  Division,  Gaithers¬ 
burg,  Md. 

Reissmueller  takes  a  multi-pronged 
approach  to  security-awareness,  which 
includes  penetration  testing,  because  he  finds 
that  policy  and  education  alone  aren’t 
enough. 

“The  goal  is  to  make  security  awareness  a 
partnership  between  the  end  user  and  the 
business, something  they  do  without  realizing 
they’re  thinking  about  it,”  he  says. 

Haber  is  a  freelance  writer.  She  can  be 
reached  at  lthaber@comcast.net. 
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Broadcom  bids  to  buy  Emulex 


BY  ELIZABETH  MONTALBANO  ,  IDG  NEWS 
SERVICE 

Following  a  rejection  of  efforts  to  purchase 
the  company  in  January  Broadcom  last  week 
made  an  unsolicited  bid  to  purchase  Emulex 
for  $764  million. 

This  marks  the  latest  industry  move  in  a  data 
center  convergence  frenzy  involving  everyone 
from  Cisco  to  HP 

Broadcom  sent  a  letter  to  Emulex’s  board  of 


BY  JON  BRODKIN 

HP  has  rolled  out  BladeSystem  Matrix,  a  con¬ 
verged  software,  server,  storage  and  network 
platform  designed  to  compete  against  Cisco’s 
Unified  Computing  System. 

BladeSystem  Matrix,  announced  last  week, 
weaves  numerous  hardware  and  software 
pieces  together  into  one  system,  creating  “an 
integrated  pool  of  resources  that  operate  in 
both  physical  and  virtual  environments,”  HP 
says.  A  self-service  portal  lets  IT  shops  quickly 
design,  deploy  and  optimize  applications,  the 
company  says. 

The  idea  is  to  eliminate  the  “islands”  of  IT  in 
which  separate  teams  manage  servers,  net¬ 
working,  power  and  virtual  machines,  says  Jim 
Ganthier,  HP’s  vice  president  of  marketing  for 
infrastructure, software  and  blades. 

“What  if  the  data  center  were  just  one  large 
pool,  a  pool  of  compute,  a  pool  of  networking 
and  storage,  all  run  by  a  very  simple,  easy-to- 
use  management  framework,”  he  says. 

HP’s  announcement  comes  two  months  after 
Cisco  unveiled  UCS,  which  will  tie  together 
compute,  network,  virtualization,  storage 
access  and  management  technologies  into 
one  platform.  The  Cisco  UCS  is  designed  for 
rapid  application  deployment  in  highly  virtual¬ 
ized  data  centers. 

Also  competing  in  this  market  is  Liquid 
Computing,  a  relatively  new  vendor  that  boasts 
of  its  ability  to  support  virtualized  and  bare 
metal  applications  with  the  same  manage 
ment  system.  Liquid  Computing  has  its  unified 
platform  on  the  market,  while  Cisco’s  will  not 
be  generally  available  until  June. 

HP’s  BladeSystem  Matrix  starts  at  $150,000. 

Liquid  and  HP  have  both  criticized  Cisco  for 
focusing  solely  on  virtualization  at  the  expense 
of  applications  running  on  physical  servers. 
Cisco  documentation  on  UCS  say  it  does  sup¬ 
port  baremetal  operating  environments,  but 
HP  says  its  own  system  goes  a  step  further  by 
managing  physical  and  virtual  resources  from 


directors  offering  to  buy  all  outstanding  shares 
of  Emulex  common  stock  for  $9.25  per  share,  a 
40%  premium  of  the  closing  price  of  Emulex’s 
stock  on  Monday  according  to  Broadcom. 

Broadcom  produces  semiconductors  used 
mainly  in  communications  products,  such  as 
communications  networks,  cell  phones  and 
cable  set-top  boxes.  Emulex  provides  technol¬ 
ogy  for  connecting  storage,  servers  and  net¬ 
works  in  data  centers. 


the  same  pane  of  glass. 

HP’s  BladeSystem  Matrix  starter  kit  comes  in 
a  full  rack  with  ProLiant  blades;  a 
StorageWorks  array;  HP  Virtual  Connect  Flex-10 
Ethernet  and  8GB  Fibre  Channel  modules;  and 
Insight  Dynamics  software  to  manage  and 
automatically  provision  resources.  For  virtual¬ 
ization,  HP  gives  customers  a  choice  of 
VMware,  Microsoft  and  Citrix  hypervisors. 

Starter  kits  can  be  as  small  as  a  few  blades  in 
one  rack,  but  expansion  kits  based  on  a  mod¬ 
ular  architecture  will  let  customers  scale  up 
without  limits,  Ganthier  says. 

HP  last  week  also  announced  a  new 
LeftHand  storage-area  network  product  and 
other  storage  systems  designed  for  virtual 
servers.  The  various  products  are  all  based  on 
the  idea  that  there  should  be  more  flexible 
connections  between  servers  and  storage  and 
that  IT  shops  should  be  able  to  converge  on  a 
single  infrastructure  that  eliminates  complexi¬ 
ty  according  to  HP  Ganthier  promised  several 
other  announcements  on  this  theme  in  the 
next  couple  of  months.  ■ 
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In  the  letter,  Broadcom  President  and  CEO 
Scott  McGregor  reiterated  his  belief  that  the 
deal  makes  sense  for  both  companies.  He  said 
Broadcom  is  going  public  with  its  offer  follow¬ 
ing  the  breakdown  of  talks  between  the  com¬ 
panies  in  January  and  subsequent  poison-pill 
tactics  by  Emulex  to  avoid  further  engage¬ 
ment. 

“It  is  difficult  for  us  to  understand  why 
Emulex’s  Board  of  Directors  has  not  been 
open  to  consideration  of  a  combination  of  our 
respective  companies,”  he  wrote.  “We  would 
much  prefer  to  have  engaged  in  mutual  and 
constructive  discussions  with  you.  However 
this  opportunity  is  in  our  view  so  compelling 
we  now  feel  we  must  share  our  proposal  pub¬ 
licly  with  your  shareholders.” 

In  a  statement  last  week  Emulex  confirmed  it 
received  the  bid  from  Broadcom  and  said  its 
board  is  reviewing  the  proposal. 

Broadcom  wants  Emulex  mainly  for  its  Fibre 
Channel  storage-networking  expertise,  accord¬ 
ing  to  McGregor,  and  thinks  the  deal  would 
benefit  shareholders,  customers  and  employ¬ 
ees  of  both  companies  for  several  reasons.  Not 
only  would  Emulex  shareholders  receive  a  pre¬ 
mium  on  their  shares,  he  said,  but  the  com¬ 
bined  company  which  has  little  product  over¬ 
lap,  could  use  its  portfolio  to  provide  low-cost, 
network-converged  storage  and  networking  to 
customers,  he  said. 

The  logistical  and  cultural  integration  of  the 
companies  would  be  fairly  painless  as  well, 
McGregor  said,  because  their  offices  are  close 
to  one  another  in  Orange  County  California, 
and  both  companies  mainly  employ  highly 
skilled  engineers. 

“We  have  a  great  deal  of  respect  for  the  tech¬ 
nical  achievements  of  the  Emulex  team,  and 
believe  the  continued  motivation  and  produc¬ 
tivity  of  Emulex’s  employees  is  critical  to  our 
combined  success,”  he  wrote.“Broadcom  has  a 
culture  rich  in  innovation,  high  quality  execu¬ 
tion,  and  a  willingness  to  invest  aggressive!/ ■ 
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Security:  The  ugly  business 


Mark  Gibbs 


ecurity  is  an  ugly  business  because  when 
I  you  have  a  problem  there’s  rarely  an  ele¬ 
gant,  straightforward  solution.  What  you 
usually  wind  up  with  is  a  solution  that’s  just 
“good  enough.”  I  recently  learned  of  a  great 
BACKoP  IN  example  that  illustrates  this  point. 

1  read  an  amazing  report  titled  ‘ATM  Card 
Skimming  and  PIN  capturing  Awareness 
Guide”  (see  www.nwdocfinder.com/9749)  pub¬ 
lished  by  Commonwealth  Bank,  a  large  Australian  financial  services 
provider. 

Card  skimming  is  the  art  of  stealing  data  from  the  magnetic  stripe  on 
the  back  of  an  ATM  card.  The  devices  used  to  do  this  are  smaller  than 
a  deck  of  cards  and  (this  is  the  biggie)  “often  fastened  in  close  proximi¬ 
ty  to  or  over  the  top  of  an  ATM’s  factory-installed  card  reader!’ 

Then  the  crooks  typically  install  another  piece  of  equipment  to  cap¬ 
ture  the  PIN  associated  with  the  user’s  card.  These  devices  have  been 
found  in  the  lights  that  illuminate  the  ATM’s  keyboard,  near  the  speak¬ 
er,  in  the  indent  that  houses  the  screen,  or  even  over  the  keyboard. 

The  report  offers  photographs  of  machines  that  have  been  modified 
with  card  skimming  devices  and  the  amazing  thing  is  they  all  look  like 
bona  fide  parts  of  the  ATM.  There  is  little  visual  clue  that  the  device 
you’re  pushing  your  card  into  is  an  add-on. 

The  same  applies  to  the  PIN  capturing  modifications,  most  of  which 
seem  to  involve  cameras  mounted  in  things  such  as  false  fascias  that 
are  attached  to  the  ATMs  or  in  leaflet  holders.  Another  approach  is  to 
overlay  a  false  keypad  on  the  real  keypad. 

According  to  the  report  the  bad  guys  “tend  to  attach  skimming 
devices  either  late  at  night  or  early  in  the  morning,  and  during  periods 
of  low  traffic  . . .  [and  usually  only  leave  them]  attached  for  a  few 


hours.” 

And  the  advice  the  report  offers  on  how  to  fight  back?  There  are  sev¬ 
eral  suggestions  but  let  me  summarize:  Know  thy  ATM. 

This  is,  of  course,  a  poor  solution  because  it  assumes  that  those 
charged  with  the  care  and  feeding  of  ATMs  will  be  diligent  and 
painstaking.  While  a  percentage  might  well  be,  we  know  for  certain 
that  in  a  large  population  of  these  workers  at  least  a  few  will  not. 

Second,  what  they  are  trying  to  do  is  work  around  a  fundamental 
design  flaw.  If  you  can’t  easily  distinguish  a  modified  machine  from 
one  that  hasn’t  been,  then  mistakes  will  be  made  even  by  the  most  dili¬ 
gent  ATM  wranglers  and  security  will  be  breached. 

This  is  a  classic  risk  management  problem:  We’ve  rolled  out  a  solu¬ 
tion  that  is  in  wide  use  and  we  have  now  identified  a  serious  problem. 

We  have  two  choices:  Go  to  the  expense  and  trouble  of  redesigning 
the  solution  knowing  that  whatever  we  do  is  unlikely  to  solve  the  prob¬ 
lem  perfectly  or  devise  a  workaround  as  Commonwealth  Bank  has 
done  (if  you  can  call  asking  stuff  to  be  more  diligent  a  workaround) 
and  face  larger  losses  but  avoid  the  huge  costs  associated  with  a 
redesign. 

In  the  case  of  ATMs  there’s  also  consumer  confidence  to  consider. 
Some  banks  are  exploring  use  of  one-time  codes  generated  by  hand¬ 
held  devices  that  would  thwart  the  skimming/capturing  problem,  but 
devices  can  be  easily  lost  and  it  would  be  yet  another  gizmo  you 
would  have  to  carry 

This  ATM  security  issue  is  exactly  like  many  other  IT  security  prob¬ 
lems  in  that  there  is  no  “best  solution”,  there  is  only  a  solution  that  is 
less  ugly  than  the  alternatives. 

Gibbs  is  secure  in  Ventura,  Calif.  He  thinks.  Confess  your  exposure  to 
backspin  @gibbs.  com. 


Politicians  need  their  own  slice  of  the  ’Net 
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NETBUZZ 


n  the  surface,  Washington  attorney  Matt 
j  Sanderson  would  appear  to  be  pitching  a 
tough  sell:  special  protection  online  for 
politicians.  However,  because  the  villains  here 
are  predatory  criminals  and  cybersquatters,  it 
should  be  easy  enough  for  all  but  the  anar¬ 
chists  to  see  that  he  has  a  point. 

Npwr  Insights  nrfHitiPc  In  a  recent  column  in  the  Washington  Post, 
Sanderson  makes  the  case  for  ICANN  to  insti¬ 
tute  a  .pol  top-level  domain  that  would  be 
reserved  exclusively  for  real  politicians  and  candidates  . . .  and  be  off 
limits  to  the  speculators. 

He  cites  as  examples  of  the  need  the  troubles  encountered  by 
President  Obama  and  former  eBay  CEO  Meg  Whitman  in  securing 
eponymous  .com  names  in  advance  of  running  for  president  and  gov¬ 
ernor  of  California.  Both  eventually  bought  off  their  cybersquatters. 

Boo-hoo,you  say?  Whitman’s  a  billionaire  and  Obama  raised  enough 
money  online  to  bail  out  the  auto  industry . . .  Well,  this  isn’t  merely 
about  the  money,  or  even  primarily  about  it. 

Sanderson  writes:“ln  2004,  for  example,  a  cybersquatter  deceitfully 
solicited  funds  through  JohnFKerry-2004.com,  which  was  nearly  identi¬ 
cal  to  Sen.  John  Kerry’s  authorized  site.  Likewise,  in  2008,  the  cyber¬ 
squatter  site  JohnMcain.com  featured  a  contribution  page  almost 
indistinguishable  from  the  similarly  spelled  official  campaign  site, 
JohnMcCain.com.  Such  counterfeit  contribution  pages  raise  serious 
monetary-  and  identity-theft  concerns.” 

At  least  these  crooks  are  non-partisan. 

Reading  Sanderson’s  column  prompted  a  few  questions  so  I  e-mailed 
him  asking,  among  other  things:  Given  that  .com  dominates  the  pub¬ 
lic’s  consciousness,  wouldn’t  candidates  still  be  compelled  to  fight  for 
and  or  buy  the  .com  versions  of  their  campaign  sites  lest  those  .com 


sites  be  used  against  them?  In  other  words,  is  it  fair  to  say  that  .pol 
would  be  at  best  a  partial  solution? 

His  reply:“No,I  don’t  think  it  is  a  partial  solution.  In  the  long  term, 
most  Internet  users  would  grow  accustomed  to  visiting  .pol  sites  to  vol¬ 
unteer,  contribute,  etc.,  much  the  way  they  now  know  to  visit  .edu  to 
visit  a  university’s  official  site.  Eventually  candidates  would  not  feel  any 
more  compelled  to  purchase  a  .com  site  than  a  university  does. 

“In  the  short  term,  though, you  are  right  that  many  users  will  want  to 
turn  to  .com  sites.  But  even  though  this  is  the  case,  I  think  .pol  would 
help  significantly  reduce  the  price  that  cybersquatters  are  able  to  fetch 
for  a  domain  name.” 

There  was  more  to  our  exchange,  which,  if  you’re  interested,  can  be 
read  at  www.nwdocfinder.com/9731. 

Democracy  in  action  on  Facebook? 

In  February  Facebook  users  wailed  about  new  termsof-service  lan¬ 
guage  they  saw  paving  the  way  for  Facebook  to  sell  their  every  scrib¬ 
bling  and  photo  to  the  highest  bidder. The  company  backed  off  the 
changes  and  opened  up  a  dialogue  with  interested  parties  to  craft 
another  version. . . .  Good  move. 

Then  Facebook  went  one  step  further  by  offering  users  an  opportuni¬ 
ty  to  vote:  Do  you  want  the  newly  drafted  terms  that  include  all  the  pri¬ 
vacy-protecting  goodness  collected  from  concerned  parties?  Or,  would 
you  prefer  the  original  legalese?  . .  .What  could  be  more  democratic? 

Well,  there  was  a  catch.  Facebook  attached  to  the  referendum  a  con¬ 
dition,  namely  that  30%  of  its  200  million  active  users  —  roughly  60  mil¬ 
lion  —  would  need  to  participate  for  the  results  to  be  binding. 

Only  about  650,000  of  us  voted  (three-quarters  picked  the  new  terms, 
which  presumably  will  be  adopted).  Next  time,  let’s  skip  the  faux  vote. 

Direct  your  fine  print  to  buzz@nww.com. 
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ALTERNATIVE  THINKING  ABOUT  CONTROL  AND  CONSOLIDATION: 


When  it  comes  to  IT,  your  universe  is  always  expanding.  Needs  increase, 
resources  are  stretched  and  options  can  be  limited.  But  now,  you  can  rethink 
how  you  control  and  optimize  your  physical  and  virtual  servers  by  integrating 
them  with  one  powerful  software  solution,  Insight  Dynamics  — VSE.  Now  you 
can  increase  flexibility,  improve  cost  and  energy  efficiency,  and  simplify 
daily  operations. 

Supporting  this  technology  is  HP's  commitment  to  service  and  dependability  — 
a  point  of  difference  that  led  IDC  to  name  HP  the  #1  vendor  for  virtualization.* 


Technology  for  better  business  outcomes. 
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AMD 

Opteron 


Quad-Core  AMD  Opteron™  Processor, 
with  AMD  Virtualization™  technology 

Ideal  for  general-purpose  solutions  and 
high-performance  computing 

Affordable,  modular  rack  systems  to 
give  your  IT  department  the  flexibility 
to  expand  with  your  business 


Quad-Core  AMD  Opteron™  Processor, 
with  AMD  Virtualization™  technology 

Infrastructure-in-a-box  saves  you  time, 
power  and  money  by  reducing  repetitive 
parts  and  redundant  operations 

Add,  replace  and  recover  resources  on 
the  fly  without  rewiring 


AMO,  the  AMD  arrow  logo,  AMD  Opteron  and  combinations  thereof,  are  trademarks  of  Advanced  Micro  Devices,  Inc. 

©  2009  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice. 
*Source:  IDC  Quarterly  Server  Virtualization  Tracker,  October  2008. 


Your  potential .  Our  passion. 

Microsoft 
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To  get  more  SQL 
Server  2008  product 
info  on  your  phone, 
snap  a  picture  of  this 
tag.  (Requires  a  free 
mobile  app  from 
http://gettag.mobi) 


Announcing  a  shocking  development 
in  data  management. 

Managing  data  with  Microsoft*  SQL  Server* 2008  Enterprise  lets 
you  turn  that  data  into  a  new  form  of  energy  for  your  company. 
Here's  how:  with  built-in  advanced  Data  Compression  you  can  store 
and  manage  growing  volumes  of  data  more  efficiently  to  reduce 
storage  costs.  Oracle  charges  extra  for  this  functionality.*  A  lot  extra 
Discover  more  energy  at  SQLServerEnergy.com 

Microsoft 


SQL  Server  2008 


‘Pricing  is  based  on  Microsoft  estimated  retail  price  and  published  Oracle  prices  available  at  http://www.oracle.com/cOrporate/pricing  •echnology-pnce-list.pdf  as  of  1/29/2009.  Actual  reseller  prices  may  vary 


